CVE-2022-28127
A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.
Robustel R1510 3.3.0
R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/
8.7 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
CWE-20 - Improper Input Validation
The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.
The R1510 has a web server that manages several APIs. One of these API is /ajax/remove/. This function allows to remove files, checking for possible path traversal in the provided input.
Here it is the function that handles the /ajax/remove/ API:
undefined4 /ajax/remove/(Webs *webs)
{
[...]
[...]
file_name = (char *)websGetVar(webs,"file_name",0); [1]
if ((file_name != (char *)0x0) &&
(shell_command = strstr(file_name,".."), shell_command == (char *)0x0)) { [2]
shell_command = (char *)sfmt("rm %s -rf",file_name); [3]
iVar1 = system(shell_command);
[...]
}
At [1] the variable file_name is fetched and then used, at [3], to create the string rm <file_name> -rf. The function checks, at [2], if the provided filen_name contains ... This check, allegedly, is used to prevent path traversal. But because file_name can be an absolute path, an attacker, able to control file_name would be able to delete arbitrary file and directory.
2022-06-27 - Initial vendor contact
2022-06-28 - Vendor Disclosure
2022-06-30 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.