A critical remote unauthenticated directory traversal vulnerability (CVE-2021-40661) has been discovered in the web interface of IND780 Advanced Weighing Terminals, specifically affecting the Build 8..07 March 19, 2018 (SS Label 'IND780_8..07') and Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10').

This vulnerability allows an attacker to remotely access and navigate the directories on affected IND780 systems, potentially leading to the exposure of sensitive information and paving the way for future attacks. This post provides an in-depth analysis of the vulnerability, including code snippets, original references, and exploit details.

Vulnerability Details

The vulnerability exists due to insufficient input validation in the 'webpage' parameter within the AutoCE.ini file. By providing a directory traversal path to this parameter, an attacker can move through the file system of the targeted IND780 system.

The following code snippet demonstrates the issue

GET /?webpage=..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c..\windows\system32\drivers\etc\hosts HTTP/1.1

Exploiting the vulnerability requires an attacker to send a specifically crafted HTTP request, utilizing the '%' (percent sign) and '5c' (backslash) characters to traverse the directories (e.g., %255c represents the \ character).

Impact

By exploiting this vulnerability, an attacker can gain unauthorized access to files and sensitive information on the affected system. This information may include system configurations, credentials, and other sensitive data that can be used for further enumeration and attacks.

Remediation

There is currently no patch available for this vulnerability. However, users of affected systems can take the following steps to mitigate the risk:

- Restrict access to the web interface of the IND780 Advanced Weighing Terminal by allowing only trusted IP addresses or using a Virtual Private Network (VPN).
- Apply proper access controls and permissions to sensitive files and directories on the affected system.
- Monitor network activity to detect any unauthorized access attempts to the IND780 Advanced Weighing Terminal.

For more information on this vulnerability, refer to the following sources

- CVE-2021-40661 - MITRE's listing of the vulnerability
- IND780 Advanced Weighing Terminal Product Page - Official product page for the IND780 Advanced Weighing Terminal
- [ICS Advisory (ICSA-21-XXX-XX)](ADD_PUBLIC_ADVISORY_LINK) - Official vulnerability advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Conclusion

The CVE-2021-40661 remote unauthenticated directory traversal vulnerability in IND780 Advanced Weighing Terminals poses a significant security risk. Users of affected systems should take immediate action to implement the recommended risk mitigation strategies until a patch is released. Stay vigilant, and regularly check for updates from the manufacturer and security researchers.

Timeline

Published on: 10/31/2022 12:15:00 UTC
Last modified on: 11/02/2022 15:50:00 UTC