International Data Casting SFX2100 Satellite Receiver World-Writable Root Script Vulnerability Allowing Privilege Escalation

A vulnerability exists in the International Data Casting (IDC) SFX2100 Satellite Receiver due to incorrect permission assignments, specifically a world-writable file in the DHCP event script located at /etc/udhcpc/default.script. This flaw allows a local unprivileged attacker to execute arbitrary commands with root privileges, leading to local privilege escalation and persistence. The vulnerability arises because the BusyBox udhcpc DHCP event script, which is executed during the acquisition, renewal, or loss of a DHCP lease, can be modified by any user. Exploitation involves appending commands to the script, which are then executed with root rights when the DHCP event occurs.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as root, creating a persistent backdoor on the system.

Reproduction

The vulnerability can be reproduced by logging into the affected device as a low-privileged user and appending commands to the world-writable DHCP event script at /etc/udhcpc/default.script. Once the commands are added, they will be executed with root privileges when the DHCP lease is obtained, renewed, or lost.