Aqara Hub and Camera Hub Undocumented Remote Command Execution Vulnerability

A vulnerability exists in Aqara Hub devices, including Camera Hub G3, Hub M2, and Hub M3, allowing unrestricted remote command execution with root privileges. This backdoor access is facilitated through an undocumented mechanism via CoAP commands, enabling execution of arbitrary shell commands on the device. The vulnerability arises from improper input sanitization when processing QR code data, which can be exploited during device setup or factory reset operations.

Impact

Exploitation of this vulnerability allows unauthorized remote code execution with root privileges on the affected devices.

Reproduction

The vulnerability can be reproduced by sending a CoAP request to the '/lumi/gw/rpc' endpoint with a JSON payload that includes the 'system_run' or 'system_command' methods. The 'system_run' method executes commands in the background without returning output, while 'system_command' executes commands synchronously and captures the output, which is returned in the response.

Remediation

Aqara has released firmware updates for the affected Hub M2 and M3 models, which include the necessary patches. For the Camera Hub G3, a compatible firmware version has also been released.