Algo 8028 Control Panel Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the Algo 8028 Control Panel, specifically in version 3.3.3. The issue resides within the fm-data.lua endpoint, where authenticated attackers can exploit the 'source' parameter to inject commands. These commands are executed with root privileges, facilitating remote code execution via a crafted POST request.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with the injected commands being executed as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the fm-data.lua endpoint. The request must include a command injection payload in the 'source' parameter, such as a command to echo the output of a command ID request into a text file on the server. After the command is executed, the user can retrieve the output by accessing the text file through the web server.

Remediation

Users are advised to update to the latest version of the Algo 8028 Control Panel. Firmware update notifications can be subscribed to via the Algo website.