ZSPACE Z4Pro+ Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the ZSPACE Z4Pro+ NAS device running firmware version 1.0.0440024. The issue arises in the HTTP POST request handler function 'zfilev2_api_open', located in the file '/v2/file/safe/open'. This vulnerability allows remote attackers to inject and execute arbitrary commands on the affected device, with the injected commands being executed with root privileges, thereby compromising the entire system.

Impact

Exploitation of this vulnerability leads to remote code execution on the affected NAS device, with the executed commands being run as the root user, allowing full control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/v2/file/safe/open' endpoint with a 'safe_dir' parameter that includes a crafted snapshot directory path. The path should be constructed to bypass existing validation checks and include a command injection payload. Once the snapshot is created, the injected command will be executed on the device.