2wcom IP-4c Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the 2wcom IP-4c web interface, specifically in version 2.16. This issue allows admin and manager users to execute arbitrary code as root by injecting commands into the ping or traceroute fields on the TCP/IP screen. The vulnerability arises from inadequate input sanitization, enabling command injection that is executed directly in the system shell.

Impact

Exploitation of this vulnerability leads to full system compromise, allowing authenticated users to execute arbitrary commands as root. This could potentially be exploited to pivot within the network.

Reproduction

To reproduce this vulnerability, log in as an admin user and navigate to the TCP/IP tools section. Select either the Ping or Traceroute tool and inject a command, such as '127.0.0.1;whoami', into the Destination field. After initiating the command, the response will include the output of the injected command, demonstrating successful exploitation.

Remediation

It is recommended to sanitize user inputs in the ping and traceroute tool configurations to block command injection characters and sequences. Additionally, using safe API calls that do not execute commands in the shell, implementing strict role-based access controls, and restricting access to the vulnerable AJAX request endpoints can help mitigate this vulnerability.