UTT 进取 521G Command Injection Vulnerability in the Web Management Interface
Vulnerability
A command injection vulnerability has been identified in the UTT 进取 521G router, specifically in the firmware version 3.1.1-190816. The issue arises in the function sub_446B18 within the file /goform/formPdbUpConfig. This vulnerability allows authenticated attackers to execute arbitrary operating system commands by manipulating the policyNames parameter. The exploitation can be performed remotely, and the vulnerability has been publicly disclosed along with a proof-of-concept exploit.
Impact
Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the operating system with root privileges.
Reproduction
To reproduce this vulnerability, log into the device via Telnet. Once connected, send a crafted POST request to the /goform/formPdbUpConfig endpoint. Include a payload in the policyNames parameter that contains shell metacharacters, such as '1;touch /tmp/1'. After sending the request, check the /tmp directory to verify if the injected command was executed by looking for the presence of the file '1'.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.