January 5, 2018 Karn Ganeshen

Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal

Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal

Cambium Network Updater Tool (CNUT) -> Official Cambium software tool to manage Cambium Devices

The Network Updater Tool is a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios.

Vulnerable versions – 4.11.2 – (current at the time of reporting)

Fixed – versions > 4.11.2

Download URL

CNUTInstaller-4.11.2-windows-installer.exe https://support.cambiumnetworks.com/file/75fea4e1ed89c887b935889e8008a7dbbf6a6f2a

Release Notes
https://support.cambiumnetworks.com/file/f4ab4ab572e5f50dcd5c4f8e44e6b6dd72fd4680

Censys.io
https://censys.io/ipv4?q=%22Canopy+Network+Updater%22

Tested on
Windows 7 x86

Setup Process

  1. Install the application.
  2. Default install in C:\Cambium\NetworkUpdater\.
  3. A web server is started on HTTP(S) 80/443, when the application is run.

 

VULNERABILITY DETAILS

File Path Traversal [No Auth Required]

A File path traversal vulnerability was identified in the CNUT application.

When CNUT application is started, it runs a web server on HTTP(S) port 80/443. CNUT is a Java application. It was found that the web server does not perform strict input validation, and uses input data for filesystem operation.

Therefore, it is possible for an un-authenticated user to read arbitrary files off of the file system by issuing the following request:

curl http://IP/../../path/to/file

For example, the following request can be used to read the Windows win.ini file:

On Command Terminal:

HTTP Response:


When submitting the crafted url via the browser, the forward slash (/) character needs to be encoded. The url will then be:

http://IP/..%2F..%2Fwindows/win.ini

CVSS Score
8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N/E:H/RL:ND/RC:ND)

+++++

~Cheers

Tagged: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *