Shenzhen Aitemi M300 Wi-Fi Repeater OS Command Injection Vulnerability

A command injection vulnerability has been identified in the Shenzhen Aitemi M300 Wi-Fi Repeater, specifically in hardware model MT02. This vulnerability allows unauthenticated remote attackers within Wi-Fi range to execute arbitrary shell commands as root, leading to full device compromise. The issue arises when the device is configured in WISP mode, where the 'ssid' parameter is sent unsanitized to system-level scripts.

Impact

Exploitation of this vulnerability allows for unauthorized OS command execution with root privileges, compromising the affected device completely.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/protocol.csp?' with the 'ssid' parameter containing the injected command. This command is executed immediately, before the device reboots, allowing for persistent access. Alternatively, the same injection can be done through the 'extap2g' parameter, which also executes commands as root without triggering a reboot.