UTT HiPER 810 Command Injection Vulnerability

A command injection vulnerability has been identified in the UTT HiPER 810 router, specifically in the web management interface of the firmware version 1.7.4-141218. The issue arises in the function 'sub_43F020' within the endpoint '/goform/formPdbUpConfig'. This vulnerability allows authenticated attackers to inject shell metacharacters into the 'policyNames' parameter, enabling the execution of arbitrary commands with root privileges. The exploitation can be performed remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for command injection, where an authenticated attacker can execute arbitrary commands with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, first establish a telnet connection to the router's IP address on port 60023 using the default 'admin' credentials. Once connected, navigate to the '/goform/formPdbUpConfig' endpoint and send a POST request with the 'policyNames' parameter manipulated to include a command injection payload, such as a command that writes to a file in a writable directory. After the request is processed, the injected command will be executed on the router, demonstrating the successful exploitation of the vulnerability.