Sercomm SCE4255W Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in the Sercomm SCE4255W small cell device, specifically in the FreedomFi Englewood firmware version prior to DG3934v3@2308041842. The vulnerability exists in the web CGI script setup.cgi, where the log_type parameter can be manipulated to read arbitrary files from the filesystem. This is achieved by crafting specific values that traverse the directory structure, bypassing intended restrictions. The flaw allows remote authenticated users to access sensitive files, including hashed credentials and internal configuration data, which could be exploited to extract authentication materials and escalate privileges.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive files and credentials, with potential for privilege escalation on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to /ftl/web/setup.cgi with the log_type parameter set to a crafted value that includes traversal sequences. This request should be made after authenticating to the device's web interface to include the necessary authentication cookie. The server will respond with the contents of the requested file, confirming the successful exploitation of the path traversal flaw.