KuWFi GC111 Command Injection Vulnerability Allowing Arbitrary Command Execution as Root

A command injection vulnerability has been identified in KuWFi GC111 devices, specifically those with Hardware Version CPE-LM321_V3.2 and Software Version GC111-GL-LM321_V3.0_20191211. The issue arises from improper input validation in the '/goform/goform_set_cmd_process' endpoint, which allows remote attackers to send unauthenticated POST requests with malicious payloads injected into the SSID parameter. Exploiting this vulnerability enables the execution of arbitrary operating system commands with root privileges on the affected device.

Impact

Successful exploitation of this vulnerability allows for arbitrary command execution on the device's operating system with root privileges. Additionally, this vulnerability could lead to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a crafted POST request to the '/goform/goform_set_cmd_process' endpoint. Include a payload in the SSID parameter that exploits the command injection flaw, such as a command wrapped in a command substitution syntax, which will be executed on the device with root privileges.