AVTECH DGM1104 Command Injection Vulnerability in Machine.cgi Endpoint

A command injection vulnerability has been identified in the AVTECH DGM1104 IP camera model, specifically in the Machine.cgi endpoint. This vulnerability allows authenticated users to execute arbitrary commands on the device by sending crafted input through the web API. The issue arises because the FTP test functionality in the camera's admin interface improperly sanitizes input before passing it to the system command execution function. As a result, maliciously crafted FTP settings can be used to execute commands as the root user on the device.

Impact

Exploitation of this vulnerability allows for authenticated command injection, with the executed commands running as the root user on the affected device. This could lead to unauthorized access or control over the device's functions and data.

Reproduction

To reproduce this vulnerability, an authenticated user can access the admin interface of an affected AVTECH DGM1104 IP camera. Once logged in, the user can navigate to the FTP test functionality within the Machine.cgi endpoint. By entering maliciously crafted FTP settings that exploit the input sanitization flaw, commands can be injected and executed on the device.