MBS Universal BACnet Router UBR Web Interface Arbitrary File Upload Vulnerability

A vulnerability exists in the MBS Universal BACnet Router UBR web interface, specifically within the wwwupload.cgi endpoint. Due to inadequate authorization checks, an unauthorized remote attacker can upload and overwrite arbitrary files, including contact images, HTTPS certificates, system backups, server peer configurations, and BACnet/SC server certificates and keys. This vulnerability affects both the 32 MB and 64 MB RAM versions of the UBR firmware.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to overwrite existing files or introduce malicious scripts that could be executed on the device. Additionally, it could lead to unauthorized access by uploading files that contain sensitive information or credentials.

Reproduction

To reproduce this vulnerability, send a POST request to the wwwupload.cgi endpoint with a file parameter that is not one of the two expected contact image names. The file will be uploaded to a location that allows overwriting of sensitive files on the device.

Remediation

Users are advised to update to the latest UBR firmware version 6.0.1.0, which addresses this vulnerability.