CVE-2024-8685
📋 TL;DR
This path traversal vulnerability in Revolution Pi allows authenticated attackers to list directories on the device by manipulating the 'dir' parameter in the '/pictory/php/getFileList.php' endpoint. It affects Revolution Pi devices running the 2022-07-28-revpi-buster version from KUNBUS GmbH. Attackers could potentially discover sensitive files and directory structures.
💻 Affected Systems
- Revolution Pi
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker maps entire filesystem structure, discovers sensitive configuration files, credentials, or other critical system information that could lead to further exploitation.
Likely Case
Attacker enumerates directories to understand system layout and identify potential targets for additional attacks, though actual file access is not confirmed by this CVE.
If Mitigated
Directory listing reveals limited information but no actual file contents are exposed.
🎯 Exploit Status
Exploitation requires authenticated access and involves simple parameter manipulation in HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check KUNBUS for latest Revolution Pi updates
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-kunbus-gmbhs-revolution-pi
Restart Required: Yes
Instructions:
1. Check KUNBUS website for security updates. 2. Update Revolution Pi software to latest version. 3. Restart the device. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Restrict web interface access
linuxLimit access to Revolution Pi web interface to trusted networks only
Configure firewall rules to restrict access to port 80/443 on Revolution Pi
Disable vulnerable endpoint
linuxRemove or restrict access to the vulnerable PHP file
sudo mv /var/www/html/pictory/php/getFileList.php /var/www/html/pictory/php/getFileList.php.disabled
sudo systemctl restart apache2
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Revolution Pi devices
- Enforce strong authentication policies and monitor for suspicious access patterns
🔍 How to Verify
Check if Vulnerable:
As authenticated user, send HTTP GET request to /pictory/php/getFileList.php with malicious dir parameter (e.g., dir=../../../)Check Version:
Check Revolution Pi version in web interface or run: cat /etc/revpi/image-releaseVerify Fix Applied:
Test the same request after patching - should return error or empty result instead of directory listing📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /pictory/php/getFileList.php with suspicious dir parameters
- Multiple failed authentication attempts followed by directory listing requests
Network Indicators:
- Unusual patterns of requests to the Pictory endpoint from single IPs
- Directory traversal patterns in HTTP parameters
SIEM Query:
source="web_logs" AND uri="/pictory/php/getFileList.php" AND (param.dir=".." OR param.dir CONTAINS "/" OR param.dir CONTAINS "%")