ZSPACE Z4Pro+ Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the ZSPACE Z4Pro+ NAS device running firmware version 1.0.0440024. The issue arises in the HTTP POST request handler for the '/v2/file/safe/status' endpoint, specifically within the 'zfilev2_api_SafeStatus' function. This vulnerability allows remote attackers to inject and execute arbitrary commands on the affected device, with the executed commands running with root privileges, thereby granting full control over the NAS device.

Impact

Exploitation of this vulnerability leads to unauthorized command execution on the affected device, with the executed commands being run as the root user. This allows an attacker to gain complete control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/v2/file/safe/status' endpoint with a crafted 'safe_dir' parameter. The parameter should be constructed to include a command injection payload, such as a command that uses 'busybox' to initiate a reverse shell. Once the payload is executed, the injected command will be executed on the device with root privileges.