Smartbedded MeteoBridge Command Injection Vulnerability Allowing Remote Root Access

A command injection vulnerability has been identified in the Smartbedded MeteoBridge web interface, which is used to manage weather station data and administer the MeteoBridge system. The vulnerability exists in versions through 6.1 and allows remote, unauthenticated attackers to execute arbitrary commands with root privileges on the affected devices. This issue arises from the insecure handling of user input in a CGI script, which is exploited by sending specially crafted requests. The vulnerability is exacerbated by the fact that the affected script is accessible without authentication.

Impact

Exploitation of this vulnerability leads to unauthorized remote command execution with elevated privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'template.cgi' script located in the 'public' directory. This can be done using curl, with the 'templatefile' parameter set to the desired command. The output of the executed command will be returned in the response, demonstrating successful exploitation. Alternatively, the vulnerability can be exploited by sending a link to the victim that includes the command injection payload, which will be executed when the link is clicked.

Remediation

Users are advised to update to MeteoBridge version 6.2, which addresses this vulnerability. Instructions for applying the update are available on the MeteoBridge forum.