CVE-2019-25610

Vulnerability

Description

CVE-2019-25610 is a path traversal vulnerability in the NetNumber Titan Master 7.9.1 web GUI, specifically within the drp endpoint [1][2]. The root cause is improper input validation of the path parameter, which accepts base64-encoded values. An attacker can inject directory traversal sequences (e.g., ../) by encoding them in base64 and replacing the = padding characters with $ signs. While the endpoint is meant to provide trace file downloads, the lack of sanitization allows escape from the intended directory [2].

Exploitation

The attack requires an authenticated session to the Titan Master web GUI; however, even low-privileged users can exploit this flaw [2]. The HTTP request is sent to /drp?download=true&path=<base64-encoded-payload>, where the payload decodes to a path containing ../ sequences. The reference exploit demonstrates retrieving /etc/shadow by encoding a path that traverses to the system root [2]. The webserver runs with elevated privileges, making sensitive system files accessible [2].

Impact

Successful exploitation allows an authenticated remote attacker to download arbitrary files from the server, including sensitive system files such as /etc/shadow [1][2][3]. This can lead to further compromise, such as credential theft or privilege escalation. The vulnerability has a CVSS v3 base score of 6.5 (Medium) [3].

Mitigation

The vendor has addressed the issue in a newer version of the software [2]. Users running Titan Master 7.9.1 or earlier should upgrade to the patched version to mitigate the risk. No official workaround is documented, but restricting access to the web GUI or monitoring for unusual base64-encoded path parameters could serve as interim measures [1][2][3].