Technostrobe HI-LED-WR120-G2 Unauthenticated File Deletion Vulnerability

A vulnerability exists in the Technostrobe HI-LED-WR120-G2 obstruction lighting controller, specifically in version 5.5.0.1R6.03.30. The issue arises in the FsBrowseClean component, where the deletefile function lacks proper authorization checks. This vulnerability allows for unauthenticated deletion of arbitrary files on the device, including critical system configuration files. The flaw can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability leads to unauthorized deletion of files, which can disrupt the functionality of the device and cause operational issues, particularly in managing obstruction lights for aviation safety.

Reproduction

The vulnerability can be reproduced by sending a POST request to the device's web server with the 'ajax' parameter set to 'FsBrowseClean', the 'action' parameter set to 'deletefile', and the 'path' parameter specifying the file to be deleted. This request can be made using a tool like curl, without any authentication.

Remediation

To address this vulnerability, it is recommended to implement authentication for all AJAX handlers, restrict deletable paths to specific directories, canonicalize path parameters to prevent traversal attacks, and log all file deletion actions.