EFM ipTIME A8004T Command Injection Vulnerability in Debug Interface

A critical command injection vulnerability has been identified in the EFM ipTIME A8004T router, specifically in the 14.18.2 firmware version. The issue resides within the Debug Interface, in the function httpcon_check_session_url of the file /sess-bin/d.cgi. This vulnerability allows for remote exploitation by manipulating the cmd parameter, which can lead to unauthorized execution of shell commands with root privileges. The vulnerability arises from a logical flaw in session validation, where authentication checks can be bypassed, granting access to restricted functions that facilitate the exploitation.

Impact

Exploitation of this vulnerability allows for unauthenticated remote root access on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP request to the router's Debug Interface bypassing the authentication checks. Modify the request path to /cgi/timepro.cgi to access the hidden login setup function. Once access is gained, enable the 'Remote Support' feature and navigate to the d.cgi debug endpoint. Inject arbitrary shell commands through the cmd parameter, which will be executed with root privileges, resulting in full control over the device.