Xiongmai DVR/NVR OS Command Injection Vulnerability in Hostname Configuration

A vulnerability allowing root OS command injection has been identified in Xiongmai DVR/NVR devices model AHB7008T-MH-V2 and NBD7024H-P, both running firmware version 4.03.R11. The issue arises in the Sofia binary, where user-supplied hostname input is executed as a shell command via the DVRIP protocol, TCP port 34567, without proper sanitization. This vulnerability requires authentication to exploit.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary OS commands with root privileges on the affected devices.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request through the DVRIP protocol to the NetWork.NetCommon configuration handler, including shell metacharacters in the HostName value. The crafted hostname will be processed by the device, leading to command execution with root privileges.

Remediation

It is recommended to remove the use of 'system()' for command execution and replace it with a safer alternative, such as 'sethostname()'. Additionally, hostname input should be validated against a strict allowlist, and any shell metacharacters should be rejected or escaped as an extra layer of defense.