UTT Jinqi 750W Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the UTT Jinqi 750W device, running firmware versions through 3.2.2-191225. The issue arises in the web management interface, specifically within the '/goform/formPdbUpConfig' endpoint. The vulnerability is triggered by manipulating the 'policyNames' parameter, which is processed without adequate validation and ultimately used in a system call. This flaw can be exploited remotely, potentially leading to unauthorized command execution on the device.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the device or the HTTP service, which may then restart or cause the device to reboot. Additionally, under certain conditions, it could allow for remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/formPdbUpConfig' endpoint with a crafted 'policyNames' parameter. If the 'policyNames' value is not 'All' and is not empty, the request will be processed by a vulnerable subroutine that lacks proper input validation. The unvalidated 'policyNames' value is then used in a formatted system call, creating a risk of buffer overflow and command injection. This exploitation can be demonstrated by injecting a command that writes a file to a web-accessible directory, indicating successful command execution.