CVE-2021-21880

Vulnerability

A directory traversal vulnerability exists in the Web Manager FsCopyFile functionality of Lantronix PremierWave 2050 firmware version 8.9.0.0R4 [1]. The cwd and dst HTTP POST parameters are not properly sanitized, allowing path traversal sequences to bypass the intended restriction to the /ltrx_user/ directory. This feature is only accessible to authenticated users with the filesystem privilege.

Exploitation

An attacker with valid credentials and filesystem privilege can send a crafted HTTP POST request to the Web Manager endpoint ajax=FsCopyFile. By manipulating the cwd parameter (e.g., /../etc/) and the dst parameter (e.g., ../ltrx_user/shadow), the attacker can copy arbitrary files from outside the restricted directory into the /ltrx_user/ directory [1]. The provided example demonstrates copying /etc/shadow into an accessible location.

Impact

Successful exploitation allows an authenticated attacker to copy sensitive system files (e.g., /etc/shadow, configuration files) into the world-readable /ltrx_user/ directory. This leads to local file inclusion and potential privilege escalation or information disclosure. The CVSSv3 score is 7.2 (High) [1].

Mitigation

As of the advisory publication date (2021-12-22), no official patch has been announced by Lantronix [1]. Users should contact the vendor for firmware updates or restrict access to the Web Manager to trusted users only. No workaround is documented in the available references.