MBS Universal BACnet Router Arbitrary File Write Vulnerability in wwupload.cgi Endpoint

An arbitrary file write vulnerability has been identified in the MBS Universal BACnet Router's web interface, specifically within the wwupload.cgi endpoint. This vulnerability arises from a path traversal issue, allowing low-privileged remote attackers to overwrite arbitrary files on the device, potentially leading to a full system compromise. The vulnerability affects both the 32 MB and 64 MB RAM firmware versions.

Impact

Exploitation of this vulnerability allows an attacker to gain full control over the file system. They can overwrite any file, replace existing scripts with malicious ones that will be executed, change passwords for web interface and SSH accounts, modify various configuration files, and manipulate network filters.

Reproduction

To reproduce this vulnerability, upload a file through the wwupload.cgi endpoint by manually changing the file parameter to a name other than the default contact1.png or contact2.png. The file will be uploaded to the /ubr/config directory, overwriting any existing files. This can be done by sending a crafted HTTP POST request with the modified file name.

Remediation

MBS GmbH has released a firmware update to version V6.0.1.0 for the Universal BACnet Router. Users are advised to install this update immediately.