Reolink Desktop Application Command Injection Vulnerability in Cache Clearing Scheduler

A command injection vulnerability has been identified in the Reolink desktop application version 8.18.12. This vulnerability arises in the application's scheduled cache-clearing mechanism, where a temporary folder path is read from a user configuration file. The lack of proper input sanitization allows attackers to manipulate the folder name to inject arbitrary operating system commands. The vulnerability is triggered by a scheduler that runs daily at 3:00 AM, executing the injected commands as part of the legitimate 'Reolink.exe' process, which is digitally signed. This execution method helps the commands evade detection by security software.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system, with the injected commands running as part of the trusted 'Reolink.exe' process. This not only provides a means to execute potentially malicious commands but also allows for persistence, as the scheduled task automatically re-executes the payload every day at 3:00 AM. The application's 'start on boot' feature further ensures that the payload survives system reboots.

Reproduction

The vulnerability can be reproduced by modifying the local configuration file to include a crafted folder name that injects commands into the cache-clearing scheduler. This can be done using the proof-of-concept script 'poc.py', available in the vulnerability's GitHub repository. The injected commands will then be executed by the application during its scheduled cache-clearing routine.

Remediation

To address this vulnerability, Reolink should implement proper input validation and sanitization for values read from user configuration files before including them in operating system command strings. Alternatively, the application could use native APIs that handle file paths as data rather than commands, such as Node.js's 'fs.rm()' function.