H3C Magic Products Command Injection Vulnerability

A critical command injection vulnerability has been identified in several H3C Magic home router models, including the NX15, NX30 Pro, NX400, and R3010, all prior to version V100R014. The vulnerability resides in the HTTP POST request handler, specifically within the 'FCGI_WizardProtoProcess' function of the '/api/wizard/getSpecs' endpoint. This issue allows attackers to execute arbitrary commands on the affected devices. Exploitation requires access to the local network, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected router, potentially leading to a full compromise of the device.

Reproduction

To reproduce this vulnerability, send a crafted POST request to the '/api/wizard/getSpecs' endpoint while connected to the same local network as the target router. The request must include payloads that exploit the command injection flaw, which can be done using the public exploit available on Gist.

Remediation

Users are advised to upgrade to the latest version of the router's firmware. The patched versions for each affected model are available on the H3C website.