International Data Casting SFX2100 Satellite Receiver Privilege Escalation Vulnerability via SUID Binary

A vulnerability exists in the International Data Casting (IDC) SFX2100 satellite receiver, where the '/sbin/ip' utility is installed with the setuid bit enabled. This configuration allows any local user to execute the binary with elevated privileges. Exploitation of this vulnerability can lead to unauthorized access to privileged files on the local file system, such as '/etc/shadow', and may open up additional avenues for performing privileged actions. The issue arises from the improper handling of user input in the 'IPaddr' parameter of the '/IDC_Ping/main.cgi' script, which is vulnerable to OS command injection. This exploitation can be achieved by injecting commands that are executed with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary file reads as the root user, with the potential for further privilege escalation.

Reproduction

The vulnerability can be reproduced by a local user with access to the SFX2100 satellite receiver. After gaining access, the user can execute the '/sbin/ip' command with the '-force' and '-batch' options to read sensitive files such as '/etc/shadow'. The output can be manipulated to bypass the application's input validation, which only checks for certain characters. This exploitation takes advantage of the fact that the 'ip' command can be used to execute arbitrary commands in a network namespace, effectively escalating privileges.