La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2024-31841

CVE-2024-31841 – Italtel Embrace

Vulnerability Description: Multiple Relative Path Traversal – CWE-23

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31841

CVSv3

Severity: 

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The web server fails to sanitize the input data allowing remote unauthenticated attackers to read arbitrary files on the filesystem.

 

Step-by-step instructions and PoC

 

An unauthenticated user can read arbitrary files using multiple functionalities of the web application. An attacker can change the “filename” parameter in the POST request by adding sequences of ‘../’ in order to reference files outside the intended directory. Since the application does not check in which directory the file will be read, an attacker can access any file on the filesystem, including application source code, configuration files and so on.

 

Affected Endpoints

·       URL: https://[HOST]/[NODE-NAME/supervoip/api/v1/reportTraceBCCAS/buttonViewReportTraceBCCAS/[ANY-STRING]/[ANY-STRING]/it

·       URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/logTrace/buttonViewLogTrace/[ANY-STRING]/[ANY-STRING]/it

·       URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/reportTrace/buttonViewReportTrace/[ANY-STRING]/[ANY-STRING]/it

·       URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/logTraceBCCAS/buttonViewLogTraceBCCAS/[ANY-STRING]/[ANY-STRING]/it

 

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

Figure 1.1 - Payload

Click To Enlarge

Figure 1.2 - Relative Path Traversal

Click To Enlarge

Figure 2.1 - Payload

Click To Enlarge

Figure 2.2 – Relative Path Traversal

Click To Enlarge

Figure 3.1 - Payload

Click To Enlarge

Figure 3.2 – Relative Path Traversal

Click To Enlarge

Figure 4.1 - Payload

Click To Enlarge

Figure 4.2 – Relative Path Traversal

Click To Enlarge

Security Impact

By exploiting this vulnerability on the web portal, it was possible to read arbitrary files on the filesystem.

Remediation Steps

Implement strict validation for input parameters. Check that the path specified within the parameter is restricted only and exclusively to a dedicated directory.