EFM iptime A6004MX Authentication Bypass and Arbitrary File Upload Vulnerability Allowing Remote Code Execution

A critical vulnerability has been identified in the EFM iptime A6004MX router running firmware version 14.18.2. This vulnerability arises from an authentication bypass that allows unauthenticated attackers to access sensitive CGI functions via the '/cgi/' URL path, circumventing standard session validation. Additionally, the 'commit_vpncli_file_upload' function in '/cgi/timepro.cgi' introduces an arbitrary file upload vulnerability. It fails to properly validate file extensions or contents, enabling attackers to upload malicious OpenVPN configuration files (.ovpn) to the '/etc/econf/vpnclient/openvpn/' directory. These files can execute arbitrary commands with root privileges when the VPN service is activated.

Impact

Exploitation of this vulnerability leads to authentication bypass, unrestricted file upload, and remote code execution with root privileges on the affected router.

Reproduction

The vulnerability can be reproduced by sending a request to '/cgi/timepro.cgi' with a malicious OpenVPN configuration file attached. The 'up' directive in the file can be used to execute commands on the router once the VPN service is activated.