UTT HiPER 520 Command Injection Vulnerability in Web Management Interface

A critical OS command injection vulnerability has been identified in the UTT HiPER 520 router, specifically in the Web Management Interface. This vulnerability affects version 1.7.7-160105 and is located in the 'sub_44EFB4' function of the 'rehttpd' binary. The issue arises when the application retrieves the 'Isp_Name' parameter through 'websGetVar'. Although there is an attempt to sanitize the input by converting it to an integer, the original unsanitized string pointer is used in a subsequent 'doSystem' call, allowing authenticated attackers to inject arbitrary shell commands. The vulnerability can be exploited remotely, and an available proof-of-concept demonstrates the execution of injected commands with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device, with root privileges.

Reproduction

To reproduce this vulnerability, first establish a telnet connection to the device and log in with the default credentials (admin/admin). Once connected, navigate to the 'WANConfig.asp' page and use Burp Suite to intercept the request. Modify the 'Isp_Name' parameter to include a command injection payload, such as '1;touch /tmp/2026-1-29'. After sending the modified request, the injected command will be executed on the device, confirming the successful exploitation of the vulnerability.