Comfast CF-N1 Command Injection Vulnerability in NTP Timezone Function
Vulnerability
A command injection vulnerability has been identified in the Comfast CF-N1 V2 router running firmware version 2.6.0. The issue resides in the web management interface, specifically within the NTP timezone configuration function. The vulnerability allows remote attackers to inject arbitrary commands by manipulating the 'timestr' parameter, which is unsanitized and directly passed to the system command execution function. This exploitation could lead to unauthorized command execution, access to sensitive files, or complete control over the device.
Impact
Successful exploitation allows for arbitrary command execution on the device, with potential access to sensitive information or complete compromise of the device.
Reproduction
To reproduce this vulnerability, send a POST request to the '/cgi-bin/mbox-config' endpoint with the 'method' parameter set to 'SET' and the 'section' parameter set to 'ntp_timezone'. Include a crafted 'timestr' value that injects a command, such as using a semicolon to terminate the original command context and a hash to comment out the rest. After the request is processed, the injected command will be executed on the device.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.