Intelbras Telefone IP TIP200 and 200 LITE Unauthenticated Arbitrary File Read Vulnerability

A vulnerability allowing unauthenticated arbitrary file reading has been identified in the Intelbras Telefone IP TIP200 and 200 LITE models. This issue arises in the 'dumpConfigFile' function, accessible through the 'cgiServer.exx' endpoint. Attackers can exploit this vulnerability by sending GET requests to '/cgi-bin/cgiServer.exx' with the 'command' parameter set to 'dumpConfigFile()'. This exploitation allows for the unauthorized reading of sensitive files, such as '/etc/shadow' and various configuration files.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive files, including password hashes and configuration data, which could be leveraged for further attacks or to compromise the device.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/cgi-bin/cgiServer.exx' endpoint with the 'command' parameter set to 'dumpConfigFile()' followed by the path of the desired file. This can be done using a web browser or a tool like curl or a custom script that automates the process. The request must include basic authentication with a username and password, although the specific credentials are not checked, allowing for exploitation without valid authorization.