Unitree Go2 Unauthenticated DDS-Based Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the Unitree Go2 robot, specifically in the firmware versions V1.1.7 through V1.1.9 and V1.1.11 (EDU). The vulnerability arises from the absence of authentication and authorization in the Data Distribution Service (DDS) implementation, allowing a network-adjacent, unauthenticated attacker to join DDS domain 0. Exploitation involves publishing a crafted message to the 'rt/api/programming_actuator/request' topic, which is managed by 'actuator_manager.py'. The message can contain arbitrary Python code, which the robot saves to disk under '/unitree/etc/programming/' and associates with a physical controller keybinding. Once the keybinding is activated, the code executes with root privileges, and the binding remains effective after rebooting the robot.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected robot, with the executed code running as the root user.

Reproduction

The vulnerability can be reproduced by joining DDS domain 0 and publishing a message to the 'rt/api/programming_actuator/request' topic. The message must include the Python code to be executed, along with the appropriate metadata to bind the execution to a controller keybinding. Once the message is received by the robot, pressing the assigned keybinding on the controller will trigger the execution of the injected code.

Remediation

Unitree has acknowledged the vulnerability and developed a patch, but its deployment has been delayed. As of now, the vulnerability in the EDU version of Go2 V1.1.11 is still present.