Software: Leostream Connection Broker
Affected Versions: 220.127.116.11
Vendor page: https://leostream.com/
CVE Reference: CVE-2021-41551
Attack Vector: path traversal, authenticated
Credits: Andrei Constantin Scutariu, Lenk Ratchakrit Seriamnuai, Andrea Malusardi
Leostream Connection Broker 18.104.22.168 allows administrators to conduct directory traversal attacks by uploading a ZIP file that contains a symbolic link.
The Leostream has released a patch for this vulnerability, JUMPSEC recommend upgrading the affected versions to this new version as soon as possible. Leostream’s advice and release notes can be found here.
For achieving local file inclusion, an attacker with administrator access to the application – or access as a custom role allowing TPC uploads – can upload zip files to be extracted in the web server directory. The attackers uploaded zip file should be created with a symbolic link by executing “ln -s /etc/passwd passwd”, which can then be zipped using “zip –symlink -r upload.zip passwd” to create the archive. After supplying the zip file to the application, the archive will be extracted and the target file (in this case /etc/passwd) will be accessible in the /tpc/ directory of the web server, in this example /tpc/passwd.
10/09/2021: Issue reported to the vendor
10/09/2021: Vendor acknowledged the issues
22/09/2021: CVE number assigned from MITRE
16/10/2021: The security patch was released by Leostream
25/01/2021: Advisory published by JUMPSEC