Unitree Go1 Insecure Firmware Verification Vulnerability Allowing Remote Code Execution

A vulnerability exists in the Unitree Go1 robotic dog, specifically in all firmware versions through Go1_2022_05_11. The issue arises from the firmware update mechanism, which relies solely on insecure MD5 hash checks for integrity verification. This flaw enables attackers to bypass authentication and upload malicious firmware, potentially leading to remote code execution, privilege escalation, and information disclosure.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device, with the potential for privilege escalation and unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, download the official firmware version Go1_2022_05_11_e0d0e617.zip and extract it. Inspect the run.sh script, which reveals that the firmware update process only checks MD5 hashes without any digital signature or certificate validation. After modifying the firmware, recalculate the MD5 hash to match the original and upload the altered firmware. The modified firmware can then be pushed to the robot via Wi-Fi or Ethernet.