KuWFi 4G AC900 LTE Router Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the KuWFi 4G AC900 LTE router, specifically in version 1.0.13. The issue resides within the HTTP API endpoints '/goform/formMultiApnSetting' and '/goform/atCmd'. An authenticated attacker can exploit this vulnerability by injecting shell metacharacters into parameters such as 'pincode' and 'cmds', allowing for the execution of arbitrary operating system commands with root privileges. This exploitation could lead to a complete system compromise, including the activation of remote access services like telnet.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges, potentially leading to a full system compromise. Additionally, it could enable unauthorized remote access by activating services such as telnet.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/formMultiApnSetting' endpoint with a crafted 'pincode' parameter that includes shell metacharacters. This will execute the injected command with root privileges. Alternatively, the '/goform/atCmd' endpoint can be used with a similar approach, injecting commands into the 'cmds' parameter.