AVTECH DGM1104 Command Injection Vulnerability in NetFailDetectD Binary
Vulnerability
A command injection vulnerability has been identified in the AVTECH DGM1104 IP camera model, specifically within the NetFailDetectD binary. This vulnerability allows authenticated users to execute arbitrary commands as the root user on the device. The issue arises because the binary reads data directly from the device's configuration file, including the hostname of a server that is pinged to check network connectivity. An attacker can manipulate this hostname to inject malicious commands, which are then executed on the device via the 'popen' function.
Impact
Exploitation of this vulnerability allows for authenticated command injection, with executed commands running as the root user on the affected device.
Reproduction
To reproduce this vulnerability, an authenticated user can send a crafted input through the web interface that exploits the command injection flaw in the NetFailDetectD binary. The injected hostname must be crafted to include the desired command, which will be executed on the device with root privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.