PROLiNK PRC2402M OS Command Injection Vulnerability in live_api.cgi via ip Parameter

An OS command injection vulnerability has been identified in the PROLiNK PRC2402M router, specifically in versions prior to the patch released on June 13, 2021. The issue arises in the 'live_api.cgi' script, where user input in the 'ip' parameter is not properly validated before being passed to the system command execution function. This lack of input sanitization allows for arbitrary code execution with root privileges on the affected device. Exploitation of this vulnerability does not require authentication.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected router, with the executed commands running as the root user.

Reproduction

To reproduce this vulnerability, send a GET request to 'live_api.cgi' with the 'page' parameter set to 'satellite_list' and the 'ip' parameter containing the command to be executed. Ensure that the command is properly URL-encoded so that the server processes the request correctly.

Remediation

Users are advised to update to the version released on June 13, 2021, which addresses this vulnerability.