Arcadyan Meteor 2 CPE FG360 Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Arcadyan Meteor 2 CPE FG360 firmware version ETV2.10. This vulnerability allows attackers to execute arbitrary code by sending a crafted request. The issue arises from the iPerf3 utility on the device, which is susceptible to command injection. Exploitation of this vulnerability enables the execution of limited operating system commands, such as initiating a system reboot or establishing a reverse shell connection to the attacker's server, thereby allowing remote control of the device.

Impact

Exploitation of this vulnerability could lead to unauthorized remote execution of code on the affected device, potentially allowing an attacker to gain control over the device's functions and operations.

Reproduction

To reproduce this vulnerability, log into the device and navigate to the Network utility section, specifically the iPerf area. Intercept the request using Burp Suite, where the endpoint 'tool_iperf3.cgi' will be visible. In the post request, locate the parameter '&cmd='. Commands can be injected by terminating the existing command with a semicolon and adding a system command. For example, a payload could be crafted to remove a file, create a named pipe, and establish a reverse shell connection to the attacker's server.