Shenzhen Tuoshi NR500-EA Command Injection Vulnerability via Unauthenticated NTP Server Parameter Manipulation
Vulnerability
A command injection vulnerability has been identified in Shenzhen Tuoshi NR500-EA devices running firmware RG500UEAABxCOMSLICv3.4.2731.16.43. The issue arises in the '/goform/formJsonAjaxReq' POST endpoint, where the 'ntpserver0' parameter is improperly validated. This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands by sending a crafted 'username=admin' cookie, which bypasses normal session authentication. The 'ntpserver0' parameter accepts user input without adequate validation, enabling the injection of system commands such as 'reboot'.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the device's operating system. Additionally, it can lead to a denial-of-service condition, privilege escalation, and unauthorized information disclosure.
Reproduction
To reproduce this vulnerability, send a POST request to the '/goform/formJsonAjaxReq' endpoint with a 'username=admin' cookie to bypass authentication. Include an unvalidated 'ntpserver0' parameter in the request, which can be used to inject and execute arbitrary OS commands.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.