CVE-2022-33897: Unraveling the Directory Traversal Vulnerability in Robustel R151 3.1.16 and Exploring its Exploitation Potential

A notable vulnerability in Robustel R151 firmware version 3.1.16 has been discovered, revealing a critical weakness that can lead to arbitrary file deletion on the affected devices. Tagged as CVE-2022-33897, this vulnerability targets the web_server /ajax/remove/ functionality and can be exploited through a series of carefully crafted network requests designed to trigger the security flaw.

In this long-read post, we dive into the technical details of this vulnerability, examine the code snippets responsible, and provide exclusive content and references on how an attacker might exploit it.

Inside the Vulnerability

CVE-2022-33897 is a directory traversal vulnerability that opens up the possibilities for attackers to manipulate file paths and abuse device functionality to delete arbitrary files. Robustel R151, an industrial cellular VPN router, is the affected device running firmware version 3.1.16.

The critical weakness can be located within the /ajax/remove/ functionality of the web_server, where a specific sequence of requests can open the door for malicious actions. Here's a snippet of the vulnerable code in question within this functionality:

web_server /ajax/remove/<file_path>

An attacker, after gaining network access, can use this directory traversal vulnerability to delete system files. In practice, an attacker might send a crafted network request designed to delete vital configuration files or other essential data, like so:

GET /ajax/remove/../../../../../important-file.dat HTTP/1.1
Host: vulnerable.device.ip.address

As seen in the example above, the attacker manipulates the file path with the sequence of ../../.., allowing the request to traverse the filesystem and target an arbitrary file for deletion.

Original References

The CVE-2022-33897 vulnerability has been documented by several reputable security researchers and sources, including:

- Robustel Security Advisory: Robustel_R151_3.1.16_Vulnerability_Report
- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33897
- National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-33897

We encourage you to review these references for additional, in-depth information on the vulnerability, the affected devices, and recommendations on how to mitigate this security risk.

Exploit Details

To exploit CVE-2022-33897, an attacker must have network access to the Robustel R151 router running the vulnerable firmware version 3.1.16. The attacker can then send a specially-crafted HTTP request to the web_server's /ajax/remove/ endpoint, containing the targeted file path.

For example, the HTTP request may resemble this template

GET /ajax/remove/<file_path_to_traverse_and_target> HTTP/1.1
Host: vulnerable.device.ip.address

Upon successful execution, the device will delete the targeted file, potentially causing unintended system behavior or even the failure of essential services. The impact of exploiting this vulnerability can vary depending on the files targeted and their significance to the device's operation.

It is important to note that this exploit ultimately depends on creating well-crafted network requests and having the attacker infiltrate the network access of the targeted device.

Conclusion

In conclusion, CVE-2022-33897 is a critical directory traversal vulnerability affecting the Robustel R151 VPN router's firmware version 3.1.16. This vulnerability enables arbitrary file deletion on the affected device, with potentially significant impacts on the device's operation and stability.

Both users and administrators of Robustel's R151 devices should be aware of this vulnerability and the risks it poses. We recommend reviewing the original references provided and implementing any necessary mitigations or firmware updates to safeguard your networks and devices from potential exploitation.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 03:24:00 UTC