BACnet Stack Path Traversal Vulnerability Allowing Arbitrary File Writes

A path traversal vulnerability has been identified in BACnet Stack versions prior to 1.5.0.rc3. The issue arises from the file writing functionality, where user-provided file paths are not properly validated. This lack of validation allows attackers to write files to arbitrary directories, potentially overwriting critical configuration files. The vulnerability is present in the BACnet file read client application and the POSIX file system interface.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with a high risk of overwriting important configuration files.

Reproduction

The vulnerability can be reproduced by using the BACnet file read client application and providing a relative or absolute file path as a command line argument. The absence of path validation can be confirmed by the successful creation of a file at the specified location, bypassing intended directory restrictions.

Remediation

Users are advised to update BACnet Stack to version 1.5.0.rc3 or later, where this vulnerability has been fixed.