Novakon P Series Path Traversal Vulnerability Allowing Root File System Access and Modification

A path traversal vulnerability has been identified in the Novakon P series HMI devices, specifically in version V2001.A.C518o2. This vulnerability allows an attacker to traverse the file system and access the root directory, with the ability to read and modify system-wide files and configurations as the root user. The issue arises from the file-explorer functionality, which can be exploited by creating a symlink to the root file system on a specially prepared flash drive and using the copy/paste feature to alter files.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of critical system files, potentially compromising the entire device.

Reproduction

To reproduce this vulnerability, a physical attacker must create an ext2 partition on a flash drive, format it, and add a symlink to the root directory. After uploading the flash drive to the device, the attacker can use the Novakon iFace Designer application to upload an application that includes a button to access the file-explorer. Once the application is installed, the file-explorer can be opened, and the symlink can be used to traverse the file system and modify files as the root user.