EnGenius EnShare Cloud Service Command Injection Vulnerability Allowing Root Remote Code Execution

A command injection vulnerability has been identified in the EnGenius EnShare Cloud Service, specifically in version 1.4.11 and earlier. The issue arises in the usbinteract.cgi script, which does not adequately sanitize user input in the path parameter. This flaw enables unauthenticated remote attackers to inject and execute arbitrary shell commands with root privileges, resulting in a complete system compromise.

Impact

Exploitation of this vulnerability allows for unauthorized command injection, with the injected commands executed as the root user, leading to full system access and control.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/web/cgi-bin/usbinteract.cgi' endpoint. The 'path' parameter must be crafted to include the desired shell commands, which will be executed on the server with root privileges. This can be done using a simple Python script that connects to the target device over TCP, sends the crafted HTTP request, and then displays the response, including the output of the executed commands.

Remediation

EnGenius has released firmware updates for affected devices. Instructions for downloading these updates can be found on the EnGenius Networks website.