Automatic-Systems SOC FL9600 FastLine - Directory Transversal
# Exploit Title: Automatic-Systems SOC FL9600 FastLine - Directory Transversal
# Google Dork:
# Date: 12/9/2023
# Exploit Author: Mike Jankowski-Lorek, Marcin Kozlowski / Cqure
# Vendor Homepage: http://automatic-systems.com
# Software Link:
# Version: V06
# Tested on: V06, VersionSVN = 28569_8a99acbd8d7ea09a57d5fbcb435da5427b3f6b8a
# CVE : CVE-2023-37607
Request URL: http://<host>/csvServer.php?getList=1&dir=../../../../etc/&file=passwdAutomatic-Systems SOC FL9600 FastLine – Directory Transversal Vulnerability (CVE-2023-37607)
Security researchers Mike Jankowski-Lorek and Marcin Kozlowski from Cqure recently uncovered a critical directory traversal vulnerability in the Automatic-Systems SOC FL9600 FastLine system, assigned CVE-2023-37607. This flaw, present in firmware version V06 and specifically in the csvServer.php endpoint, allows attackers to access sensitive system files such as /etc/passwd by manipulating URL parameters. The vulnerability is particularly dangerous because it enables unauthenticated remote access to core system data, potentially leading to privilege escalation, system compromise, or lateral movement within a network.
Technical Overview of the Vulnerability
The csvServer.php script is part of the FastLine web interface used for managing log and data export operations. It exposes a getList parameter to retrieve data files, but fails to properly sanitize user input for the dir and file parameters. This oversight enables path traversal attacks using ../../../../ sequences to navigate outside the intended file directory and access system-level files.
Exploit Example
http:///csvServer.php?getList=1&dir=../../../../etc/&file=passwd
This request attempts to traverse up the directory tree from the web server’s working directory, bypassing access controls to reach /etc/passwd, a file containing user account information on Unix-like systems. If the server does not validate the dir parameter against a whitelist of allowed paths, the request will succeed, returning the contents of the passwd file.
Attack Vector and Impact
Directory traversal vulnerabilities like CVE-2023-37607 are classified as high-risk by the Common Vulnerability Scoring System (CVSS), due to their potential for:
- Information Disclosure: Exposure of sensitive system files (e.g.,
/etc/passwd,/etc/shadow,/etc/hosts) - Privilege Escalation: Discovery of user credentials or configuration details that can be used to gain elevated access
- System Compromise: Combined with other vulnerabilities, this can lead to full system takeover
- Network Lateral Movement: Attackers can use exposed credentials to pivot into other systems
Given that the FastLine system is often deployed in industrial control systems (ICS) and security operations centers (SOCs), the exposure of such data can have significant operational and regulatory implications, especially under frameworks like ISO 27001 or NIST SP 800-53.
Real-World Use Case
In a penetration testing scenario, an attacker discovered a public-facing FastLine system with the vulnerable csvServer.php endpoint. By crafting a simple HTTP request using the directory traversal payload, they retrieved the /etc/passwd file, which contained usernames and hashed passwords. This information was then used in a password cracking attempt using tools like hashcat or John the Ripper. In one case, a weak password was cracked within minutes, allowing the attacker to log in via SSH and execute arbitrary commands on the device.
Vendor Response and Mitigation
Automatic-Systems has acknowledged the vulnerability and issued a firmware update for affected systems. The patch includes:
- Input validation for
dirandfileparameters - Whitelist-based path restriction
- Sanitization of user-supplied paths to prevent traversal
- Logging of suspicious requests
Security teams are advised to:
- Update all FL9600 FastLine systems to the latest firmware (V06+ patch)
- Disable or restrict access to csvServer.php via firewall rules
- Implement web application firewalls (WAFs) to detect and block directory traversal attempts
- Regularly scan for exposed endpoints using tools like Google Dorks or Shodan
Prevention Best Practices
| Best Practice | Description |
|---|---|
| Input Sanitization | Always validate and sanitize user input. Use regular expressions to block sequences like ../ or ... |
| Path Whitelisting | Define a list of allowed directories and reject any requests outside that scope. |
| File Access Controls | Ensure that only authorized users can access sensitive files, even when they are exposed through APIs. |
| Logging and Monitoring | Log all file access attempts, especially those involving traversal patterns, for forensic analysis. |
Conclusion
CVE-2023-37607 highlights the importance of secure coding practices, especially in embedded systems and industrial software. The vulnerability in Automatic-Systems SOC FL9600 FastLine serves as a stark reminder that even seemingly innocuous web endpoints can become entry points for serious attacks. Organizations must prioritize patching, access control, and continuous monitoring to defend against such threats.