Intelbras TIP 635G OS Command Injection Vulnerability in Ping Handler Component

A vulnerability allowing OS command injection has been identified in the Intelbras TIP 635G IP terminal, specifically in version 1.12.3.5. This issue arises within the Ping Handler component, where user-supplied input is improperly sanitized and directly passed to system shell commands. An authenticated attacker can exploit this flaw to execute arbitrary commands with root privileges. Although the command output is not displayed in the web interface, successful exploitation can be verified through out-of-band interactions, such as network requests initiated by the device. This vulnerability could lead to full compromise of the affected device and may allow lateral movement within the network.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary OS commands with root privileges on the affected device. This could lead to remote code execution, with the possibility of initiating network requests from the compromised device, potentially facilitating further attacks within the local network.

Reproduction

To reproduce this vulnerability, an authenticated user can access the web management interface of the Intelbras TIP 635G IP terminal running version 1.12.3.5. Once logged in, the user can navigate to the diagnostic 'ping' functionality. Here, input can be injected using shell command substitution, such as by including commands within the ping request. The injected commands will be executed on the system shell with root privileges.