Mobvoi Tichome Mini Shell Command Injection Vulnerability Allowing Remote Code Execution

A shell command injection vulnerability has been identified in the Mobvoi Tichome Mini smart speaker, specifically in firmware versions 012-18853 and 027-58389. This vulnerability allows remote attackers to send specially crafted UDP datagrams that execute arbitrary shell code as the root user. The issue arises from a debugging interface that accepts packets on an exposed UDP port, enabling command injection through the 'system()' function.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, first connect the Tichome Mini smart speaker to a Wi-Fi network. Then, from another device on the same network, send a crafted UDP packet to port 35670, which is open on all IP addresses. The packet should include a Unix path starting with '/' and a zero-terminated hostname. This will trigger the command injection by executing a 'cp' command that can be manipulated to run arbitrary shell commands instead.