what you don't know can hurt you

Loytec LGATE-902 XSS / Traversal / File Deletion

Loytec LGATE-902 XSS / Traversal / File Deletion
Posted Apr 9, 2019
Authored by Daniel Ricardo dos Santos

Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss, file inclusion
advisories | CVE-2018-14916, CVE-2018-14918, CVE-2018-14919
MD5 | bf196a89942c4e399ed9ea256488aabb

Loytec LGATE-902 XSS / Traversal / File Deletion

Change Mirror Download
INFORMATION

Product: Loytec LGATE-902 (https://www.loytec.com/)
Affected versions: < 6.4.2 (tested on version 6.3.2)
CVE IDs: CVE-2018-14919 (Stored and reflected XSS), CVE-2018-14918 (Path
traversal), and CVE-2018-14916 (Arbitrary file deletion).
Remote-exploit: yes

TIMELINE

Vendor notification: 26th July, 2018
Vendor acknowledgment: 1st August, 2018
Patch available: 13th November, 2018
Public disclosure: 7th April, 2019

INTRODUCTION

The LGATE-902 Gateway is a powerful gateway that can host user specific
graphical pages. The gateways provide connectivity functions to concurrently
integrate CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus. Local
operation and override is provided by the built-in jog dial and the backlit
display (128x64 pixels). Device and data point information is provided by the
Web interface and shown on the display via symbols and in text format.
(Description from: https://www.loytec.com/products/gateways/2259-lgate-902)

The three vulnerabilities described below affect the web application that runs
in the gateways and that is used to manage them.

VULNERABILITIES DESCRIPTION

The XSS vulnerability (CVE-2018-14919) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).

Reflected XSS PoC (show alert dialog):
http://<device_address>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0

Stored XSS PoC (show alert dialog):
POST http://<device_address>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]

The path traversal (CVE-2018-14918) and file deletion (CVE-2018-14916)
vulnerabilities allow an attacker to manipulate path references and access or
delete files and directories (including critical system files) that are stored
outside the root folder of the web application running on the device. This can
be used to read or delete system and configuration files containing, e.g.,
usernames and passwords.

Path traversal PoC (read /etc/passwd):
http://<device_address>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152

File deletion PoC (delete ../test.txt):
POST http://<device_address>/webui/config/doc/action
delete=1&update=1&name=../test.txt

SOLUTION

Update to version 6.4.2
WARNING - CONFIDENTIAL INFORMATION:
________________________________
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close