neolead/CVE-2018-11241.txt

## CVE-2018-11241.txt
CVE-2018-11241
[Suggested description]
An issue was discovered on SoftCase T-Router build 20112017 devices.
A remote attacker can read and write to arbitrary files on the system
as root, as demonstrated by code execution after writing to a crontab file.
This is fixed in production builds as of Spring 2018.
------------------------------------------
[Additional Information]
The T-Router protocol contains not only the functions of executing the
above-mentioned commands of the 'top' level, but also commands
allowing reading the specified file and appending to the end of the
specified file (or creating a new one).

Since the executable itself runs as root, it becomes possible to read
all the files. An attacker, for example, can write his command to
crontab and thus get code execution

Vulnerability was found in January 2018.
Reported to vendor.
Bug was successfully closed at April 2018
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
http://softcase.ru/
------------------------------------------
[Affected Product Code Base]
T-Router network component. - Linux T-Router (build: 20112017)
------------------------------------------
[Affected Component]
T-Router network component.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
Remote user can send specially crafted packet with encryption working key ,extracted from device and got r\w arbitrary files on the system as root.
------------------------------------------
[Reference]
https://www.facebook.com/neolead
https://ptsecurity.com
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Leonid Krolle \ George Zaytsev (Positive Technologies)
	CVE-2018-11241
	[Suggested description]
	An issue was discovered on SoftCase T-Router build 20112017 devices.
	A remote attacker can read and write to arbitrary files on the system
	as root, as demonstrated by code execution after writing to a crontab file.
	This is fixed in production builds as of Spring 2018.
	------------------------------------------
	[Additional Information]
	The T-Router protocol contains not only the functions of executing the
	above-mentioned commands of the 'top' level, but also commands
	allowing reading the specified file and appending to the end of the
	specified file (or creating a new one).

	Since the executable itself runs as root, it becomes possible to read
	all the files. An attacker, for example, can write his command to
	crontab and thus get code execution

	Vulnerability was found in January 2018.
	Reported to vendor.
	Bug was successfully closed at April 2018
	------------------------------------------
	[Vulnerability Type]
	Incorrect Access Control
	------------------------------------------
	[Vendor of Product]
	http://softcase.ru/
	------------------------------------------
	[Affected Product Code Base]
	T-Router network component. - Linux T-Router (build: 20112017)
	------------------------------------------
	[Affected Component]
	T-Router network component.
	------------------------------------------
	[Attack Type]
	Remote
	------------------------------------------
	[Impact Code execution]
	true
	------------------------------------------
	[Impact Escalation of Privileges]
	true
	------------------------------------------
	[Attack Vectors]
	Remote user can send specially crafted packet with encryption working key ,extracted from device and got r\w arbitrary files on the system as root.
	------------------------------------------
	[Reference]
	https://www.facebook.com/neolead
	https://ptsecurity.com
	------------------------------------------
	[Has vendor confirmed or acknowledged the vulnerability?]
	true
	------------------------------------------
	[Discoverer]
	Leonid Krolle \ George Zaytsev (Positive Technologies)