Arris VIP1113 Bootloader Shell Injection Vulnerability Allowing Arbitrary Code Execution

A bootloader shell injection vulnerability has been identified in Arris VIP1113 devices running KreaTV SDK, prior to May 30, 2025. This vulnerability allows for arbitrary code execution with root privileges by injecting commands that are executed by the bootloader. The exploitation process involves overwriting system binaries, which are then executed with elevated privileges, effectively bypassing secure boot mechanisms and allowing unauthorized modifications to the device's firmware.

Impact

Exploitation of this vulnerability leads to unauthorized root access, allowing attackers to execute arbitrary commands with root privileges, bypass secure boot protections, and modify or replace firmware images. Additionally, the vulnerability could be exploited to dump encryption keys used to secure firmware, facilitating further attacks.

Reproduction

The vulnerability can be reproduced by accessing the hidden configuration menu of the Arris VIP1113 device. Once in the menu, inject a space character into the TFTP command line parameter, which shifts the command line arguments and allows control over local file names. This injection can be used to overwrite executable files on the device. After replacing a binary with a malicious one, the bootloader can be instructed to execute it as the root user. Once the injected binary is executed, it can be used to access the device's firmware encryption key, which is stored in the bootloader's memory. With this key, the firmware can be decrypted and modified before being re-encrypted and uploaded back to the device, effectively bypassing secure boot and allowing the execution of custom firmware.