what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Loytec LGATE-902 XSS / Traversal / File Deletion

Loytec LGATE-902 XSS / Traversal / File Deletion
Posted Apr 9, 2019
Authored by Daniel Ricardo dos Santos

Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss, file inclusion
advisories | CVE-2018-14916, CVE-2018-14918, CVE-2018-14919
SHA-256 | 51a56009ad536852094cf43505795757b313e69de873c34f2e84ccf8fc674f42

Loytec LGATE-902 XSS / Traversal / File Deletion

Change Mirror Download
INFORMATION

Product: Loytec LGATE-902 (https://www.loytec.com/)
Affected versions: < 6.4.2 (tested on version 6.3.2)
CVE IDs: CVE-2018-14919 (Stored and reflected XSS), CVE-2018-14918 (Path
traversal), and CVE-2018-14916 (Arbitrary file deletion).
Remote-exploit: yes

TIMELINE

Vendor notification: 26th July, 2018
Vendor acknowledgment: 1st August, 2018
Patch available: 13th November, 2018
Public disclosure: 7th April, 2019

INTRODUCTION

The LGATE-902 Gateway is a powerful gateway that can host user specific
graphical pages. The gateways provide connectivity functions to concurrently
integrate CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus. Local
operation and override is provided by the built-in jog dial and the backlit
display (128x64 pixels). Device and data point information is provided by the
Web interface and shown on the display via symbols and in text format.
(Description from: https://www.loytec.com/products/gateways/2259-lgate-902)

The three vulnerabilities described below affect the web application that runs
in the gateways and that is used to manage them.

VULNERABILITIES DESCRIPTION

The XSS vulnerability (CVE-2018-14919) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).

Reflected XSS PoC (show alert dialog):
http://<device_address>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0

Stored XSS PoC (show alert dialog):
POST http://<device_address>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]

The path traversal (CVE-2018-14918) and file deletion (CVE-2018-14916)
vulnerabilities allow an attacker to manipulate path references and access or
delete files and directories (including critical system files) that are stored
outside the root folder of the web application running on the device. This can
be used to read or delete system and configuration files containing, e.g.,
usernames and passwords.

Path traversal PoC (read /etc/passwd):
http://<device_address>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152

File deletion PoC (delete ../test.txt):
POST http://<device_address>/webui/config/doc/action
delete=1&update=1&name=../test.txt

SOLUTION

Update to version 6.4.2
WARNING - CONFIDENTIAL INFORMATION:
________________________________
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.


Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    21 Files
  • 27
    Aug 27th
    28 Files
  • 28
    Aug 28th
    15 Files
  • 29
    Aug 29th
    41 Files
  • 30
    Aug 30th
    13 Files
  • 31
    Aug 31st
    467 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close