exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Loytec LGATE-902 XSS / Traversal / File Deletion

Loytec LGATE-902 XSS / Traversal / File Deletion
Posted Apr 9, 2019
Authored by Daniel Ricardo dos Santos

Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss, file inclusion
advisories | CVE-2018-14916, CVE-2018-14918, CVE-2018-14919
SHA-256 | 51a56009ad536852094cf43505795757b313e69de873c34f2e84ccf8fc674f42

Loytec LGATE-902 XSS / Traversal / File Deletion

Change Mirror Download
INFORMATION

Product: Loytec LGATE-902 (https://www.loytec.com/)
Affected versions: < 6.4.2 (tested on version 6.3.2)
CVE IDs: CVE-2018-14919 (Stored and reflected XSS), CVE-2018-14918 (Path
traversal), and CVE-2018-14916 (Arbitrary file deletion).
Remote-exploit: yes

TIMELINE

Vendor notification: 26th July, 2018
Vendor acknowledgment: 1st August, 2018
Patch available: 13th November, 2018
Public disclosure: 7th April, 2019

INTRODUCTION

The LGATE-902 Gateway is a powerful gateway that can host user specific
graphical pages. The gateways provide connectivity functions to concurrently
integrate CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus. Local
operation and override is provided by the built-in jog dial and the backlit
display (128x64 pixels). Device and data point information is provided by the
Web interface and shown on the display via symbols and in text format.
(Description from: https://www.loytec.com/products/gateways/2259-lgate-902)

The three vulnerabilities described below affect the web application that runs
in the gateways and that is used to manage them.

VULNERABILITIES DESCRIPTION

The XSS vulnerability (CVE-2018-14919) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).

Reflected XSS PoC (show alert dialog):
http://<device_address>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0

Stored XSS PoC (show alert dialog):
POST http://<device_address>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]

The path traversal (CVE-2018-14918) and file deletion (CVE-2018-14916)
vulnerabilities allow an attacker to manipulate path references and access or
delete files and directories (including critical system files) that are stored
outside the root folder of the web application running on the device. This can
be used to read or delete system and configuration files containing, e.g.,
usernames and passwords.

Path traversal PoC (read /etc/passwd):
http://<device_address>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152

File deletion PoC (delete ../test.txt):
POST http://<device_address>/webui/config/doc/action
delete=1&update=1&name=../test.txt

SOLUTION

Update to version 6.4.2
WARNING - CONFIDENTIAL INFORMATION:
________________________________
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close