The VERTIV Avocent AutoView switches are analog keyboard, video, and mouse (KVM) switches used in data center servers. They also expose a web server in the network, which allows for some configuration.
During a penetration test for a customer, a device of this type was identified in the infrastructure and analyzed, revealing an authentication bypass in the web application.
The application is written in PHP. To gain access to the PHP scripts, the firmware update was downloaded from the vendor’s download page. From the update, the PHP files can easily be extracted and analyzed.
The following piece of code in /webroot/phplib/avct.php peaked our interest.
$avctSessionId=(isset($_REQUEST["sessionId"])?$_REQUEST["sessionId"]:$_COOKIE[ "avctSessionId" ]);
if ( file_exists( $_USER_DIR . $avctSessionId . ".user" ) ) // File Exists!
{
$tmp = avctReadPropertyFile( $_USER_DIR . $avctSessionId . ".user" );
if ( is_array( $tmp ) && ( sizeof( $tmp ) == 8 ) ) // Good File!
{
[...]
$avctLoggedIn = true;
$avctUsername = trim($tmp["username"]);
$avctPassword = trim($tmp["password"]);
$avctLocale = trim($tmp["locale"]);
$avctAuthMethod = trim($tmp["authMethod"]);
$avctRole = trim($tmp["accessLevel"]);
$avctPreemption = trim($tmp["preemptionLevel"]);
$avctUserId = trim($tmp["userId"]);
}
else // Bad File!
{
@unlink( $_USER_DIR . $avctSessionId . ".user" );
$avctSessionId=NULL;
}
}The code reads the sessionId parameter from the $_REQUEST variable, which holds all GET and POST parameters combined, and uses it in a path. This allows for path traversal by including / to separate directories and using .. to traverse back into the parent directory. This can be used to return to the root directory and use any file ending with .user as the session file.
Unfortunately, there are no standard files on the system ending with .user. However, older PHP versions will only pass the part before the first zero character of a string to the file system APIs. This allows the removal of suffixes appended by the application on these older PHP versions by including a zero character in the string. Since the used PHP version is so old, this is possible, and any file can be used as the session file.
This can already be used to delete files in cases where the file is not considered a valid user file with the @unlink call. However, to bypass authentication, a property file with eight properties needs to be used. Fortunately, there is /webroot/mini_httpd-remote-nossl.conf which is a properties file with exactly eight properties. The property names will be different from the expected ones, resulting in most user values being set to the empty string (since trim(null)=== =""), but the user is still considered to be logged in.
Since not all user values are specified, the user is considered a regular user rather than an administrator. However, it might be possible to use special files, such as those in /proc/self/fd or other files where user input is written to, to bypass authentication and gain full admin access.
Fix
In version 2.10.0.0.4736, this issue was resolved by verifying that the user-supplied input is numeric, thereby ensuring that the directory cannot be altered.
$avctSessionId=(isset($_REQUEST["sessionId"])?$_REQUEST["sessionId"]:$_COOKIE[ "avctSessionId" ]);
if ( is_numeric( $avctSessionId ) && file_exists( $_USER_DIR . $avctSessionId . ".user" ) ) // File Exists!
{Impact and Conclusion
This problem demonstrates how a simple missing check allows for path traversal, which can be exploited in this case to bypass authentication. Although we were not able to obtain high privileges with the authentication bypass during the penetration test, it is likely possible to find a file that allows for user manipulation in a way that makes it appear as a valid user file for an administrator.
Disclosure Timeline
- April 30, 2025: ERNW informs VERTIV of the authentication bypass.
- July 18, 2025: VERTIV informs ERNW that a fix is in the testing phase and asks for an extension of the public disclosure time.
- July 2025: VERTIV releases fixed Avocent AutoView version 2.10.0.0.4736.
- September 08, 2025: Public release of this blog post.
Cheers!
Nils