Technostrobe HI-LED-WR120-G2 Unauthenticated File Upload Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in the Technostrobe HI-LED-WR120-G2 obstruction lighting controller, specifically in version 5.5.0.1R6.03.30. The issue arises from a lack of authentication and proper file validation in the '/fs' endpoint, which accepts any file type and writes to user-specified directories. This vulnerability could be exploited remotely, with the potential for uploaded files to be immediately accessible via HTTP.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, with the possibility of overwriting critical configuration files or deploying malicious scripts that could be executed on the device. Such actions could lead to unauthorized access or control over the lighting system, creating a significant aviation hazard.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/fs' endpoint without any authentication. The request must include the 'cwd' parameter to specify the destination directory, and the 'selectedfile' parameter to upload the desired file. Once the file is uploaded, it can be accessed through the web server, verifying the success of the exploit.

Remediation

To address this vulnerability, it is recommended to implement authentication checks for file uploads, restrict upload directories to a designated 'uploads' folder, allow only specific file types that are operationally necessary, and remove the '/fs' endpoint from production firmware if it is not in use.