AMTT Hotel Broadband Operation System Command Injection Vulnerability in Network Port Setup Management

A critical OS command injection vulnerability has been identified in AMTT Hotel Broadband Operation System version 1.0. The issue arises in the 'popen' function within the file '/manager/network/port_setup.php'. Manipulating the 'SwitchVersion', 'SwitchWrite', 'SwitchIP', 'SwitchIndex', and 'SwitchState' parameters allows for arbitrary command execution on the server. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, send a GET request to '/manager/network/port_setup.php' with the 'SwitchIP', 'SwitchPort', 'SwitchIndex', and 'SwitchVersion' parameters. The 'SwitchVersion' parameter should be crafted to include the desired command, such as 'whoami' redirected to a file, like '1.txt'. After the request is processed, the output of the executed command can be retrieved from the same directory where the command was executed.