Netcore Routers Command Injection Vulnerability in Network Tools Ping Function

A critical command injection vulnerability has been identified in Netcore router models NBR1005GPEV2, NBR200V2, and B6V2, all running firmware versions prior to 20250508. The vulnerability arises in the 'tools_ping' function of the 'network_tools' utility, located at '/usr/bin/network_tools'. The issue allows for arbitrary command execution by manipulating the 'url' parameter, which is not properly validated before being used in a system command. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the executed commands running in the background.

Reproduction

To reproduce this vulnerability, send a POST request to the '/ubus' endpoint with a JSON payload that includes a crafted 'url' parameter. The payload should be formatted to include the desired command injection, such as a reverse shell command or a command that creates a named pipe (FIFO) for further exploitation.