H3C Magic Products Command Injection Vulnerability

A command injection vulnerability has been identified in several H3C Magic home router models, including the Magic NX15, NX30 Pro, NX400, and R3010, all running versions through V100R014. The vulnerability resides in the HTTP POST request handler, specifically within the FCGI_WizardProtoProcess function. Exploitation of this vulnerability requires access to the local network, either through a physical connection or via Wi-Fi, and involves sending a crafted POST request to the /api/wizard/setsyncpppoecfg endpoint. Successful exploitation allows an attacker to gain unauthorized access to the router's command interface, potentially leading to a root shell on the device.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected router, with the potential to gain root access, according to a public disclosure by a security researcher.

Reproduction

To reproduce this vulnerability, connect to the local network of an affected H3C Magic router model. Then, send an HTTP POST request to the /api/wizard/setsyncpppoecfg endpoint. The request must be crafted to include payloads that exploit the command injection vulnerability. This can be done using tools like curl or Postman, or through a custom script that automates the process.

Remediation

Users are advised to upgrade to the latest firmware version available for their specific router model. Instructions for downloading the update can be found on the H3C official website.