"Details of the six-year-old flaw were publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager "upload.cgi" function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos reported the flaw to the Canadian company in December 2018. "This vulnerability exists in the file upload capability of templates within the AirLink 450," the company said. "When uploading template files, you can specify the name of the file that you are uploading.""
"There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file. Talos noted that some of the files that exist in the directory (e.g., "fw_upload_init.cgi" or "fw_status.cgi") have executable permissions on the device, meaning an attacker can send HTTP requests to the "/cgi-bin/upload.cgi" endpoint to upload a file with the same name to achieve code execution."
CVE-2018-4063 is an unrestricted file upload vulnerability in Sierra Wireless AirLink ALEOS routers that can enable remote code execution via a specially crafted HTTP request. The flaw, rated CVSS 8.8/9.9, permits an authenticated HTTP request to upload executable files to the webserver. Cisco Talos disclosed the issue in April 2019 after reporting it in December 2018, identifying the vulnerable ACEManager upload.cgi function in AirLink ES450 firmware 4.9.3. Uploaded files can overwrite existing files and inherit their permissions; several existing files are executable. ACEManager runs as root, so uploaded code executes with elevated privileges.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]