Arris VIP1113 TFTP-Based File Overwrite Vulnerability Allowing Bootloader Shell Injection

A vulnerability in Arris VIP1113 devices running KreaTV SDK, prior to May 30, 2025, allows for file overwriting via TFTP. The issue arises because a remote filename containing a space can be manipulated to control the local filename, enabling an attacker to overwrite executable files on the device.

Impact

Exploitation of this vulnerability leads to unauthorized file overwriting, with the potential to replace system binaries. This could be chained with other vulnerabilities to execute arbitrary code with root privileges, bypass secure boot processes, and manipulate firmware images.

Reproduction

The vulnerability can be reproduced by accessing the hidden configuration menu of the Arris VIP1113 device. Once in the menu, inject a space into the TFTP command's remote filename parameter. This will shift the command-line parameters, allowing control over both the remote and local filenames. After overwriting a binary, the bootloader can be instructed to execute the modified binary as the root user.