EFM ipTIME A8004T Authentication Bypass and Unrestricted File Upload Vulnerability

A critical vulnerability exists in the EFM ipTIME A8004T router running firmware version 14.18.2. This vulnerability involves an authentication bypass that allows unauthenticated attackers to access sensitive CGI functions. Exploitation is achieved by using the '/cgi/' URL path, which bypasses the standard session validation. Additionally, the vulnerability includes unrestricted file upload capabilities in the 'commit_vpncli_file_upload' function of the VPN Service component. The function fails to properly validate file extensions or contents, enabling attackers to upload arbitrary OpenVPN configuration files directly to a system directory. Maliciously crafted files can execute arbitrary system commands with root privileges when the VPN service is activated.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive functions and the execution of arbitrary commands with root privileges, potentially compromising the entire system.

Reproduction

To reproduce this vulnerability, first bypass authentication by accessing the '/cgi/' path, which skips session validation. Then, upload a malicious OpenVPN configuration file through the 'commit_vpncli_file_upload' function, taking advantage of the lack of proper file validation. Ensure the uploaded file contains directives that will execute commands with root privileges when the VPN service is used.