Shenzhen TVT White-Labeled DVRs OS Command Injection Vulnerability

A command injection vulnerability has been identified in white-labeled DVRs that use Shenzhen TVT firmware. This issue affects a custom HTTP service named 'Cross Web Server', which listens on TCP ports 81 and 82. The vulnerability arises because the web interface does not properly sanitize input in the URI path for the language extraction feature. When a request is made to '/language/[lang]/index.html', the server processes the '[lang]' input in a tar extraction command without adequate escaping. This flaw allows an unauthenticated remote attacker to inject shell commands and execute arbitrary commands as the root user.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to the '/language/[lang]/index.html' endpoint on the affected DVR. The '[lang]' parameter can be manipulated to include shell command injections, which are executed on the server due to improper input handling. After the injection, the 'tar' command can be used to extract files, leveraging the command execution capability.