UGREEN DH2100+ Command Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A command injection vulnerability has been identified in the UGREEN DH2100+ NAS device, affecting versions through 5.3.0.251125. The issue arises in the 'handler_file_backup_create' function within the 'nas_svr' component, specifically at the '/v1/file/backup/create' endpoint. The vulnerability allows remote attackers to manipulate the 'path' argument, leading to unauthorized command execution on the device. Exploitation involves creating a directory through directory traversal, injecting malicious commands that are executed with root privileges on the NAS device.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected NAS device, with the executed commands running with root privileges.
Reproduction
To reproduce this vulnerability, send a request to the '/v1/file/backup/create' endpoint with a crafted 'path' argument that exploits directory traversal. The injected 'path' should include malicious commands disguised as directory names, which will be executed on the NAS device with root privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.