Shenzhen Aitemi M300 Wi-Fi Repeater Command Injection Vulnerability Allowing Root Access
Vulnerability
A command injection vulnerability has been identified in the Shenzhen Aitemi M300 Wi-Fi Repeater, specifically in the 'passwd' parameter during the PPPoE setup process. This vulnerability allows unauthenticated attackers to execute commands at the root level, as the input is directly passed to system commands without proper sanitation. The issue arises in the repeater's firmware, which uses a Lighttpd web server and is accessible through the device's management interface.
Impact
Exploitation of this vulnerability leads to unauthorized root-level access on the affected device, allowing attackers to execute arbitrary commands. This could potentially be used to pivot into the user's home network, posing further security risks.
Reproduction
The vulnerability can be reproduced by sending a POST request to the '/protocol.csp' endpoint with the 'passwd' parameter included. The injected payload is executed as a command on the device, taking advantage of the lack of input validation. After the command is executed, the device reboots, but the injection can be repeated.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.