U-SPEED AC1200 Gigabit Wi-Fi Router Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the U-SPEED AC1200 Gigabit Wi-Fi Router, specifically in model T18-21K version 1.0. The issue arises in the Network Time Protocol (NTP) configuration interface, which fails to properly sanitize user input. This vulnerability allows authenticated users with administrative privileges to inject arbitrary system commands through the NTP server configuration parameters. The injected commands are executed with elevated privileges, potentially leading to a complete compromise of the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router's operating system, with the executed commands likely running as the root user. This could lead to full system compromise. Additionally, if exploited in conjunction with an existing vulnerability that exposes the device's UART interface without authentication, it could provide direct root-level console access.

Reproduction

To reproduce this vulnerability, an authenticated administrative user can navigate to the NTP configuration settings via the router's web interface. Once there, a crafted payload can be injected into the 'ntpSrv1' parameter of the NTP server configuration. After the payload is submitted, the injected command is executed by the router's operating system.

Remediation

The vendor should address this vulnerability by implementing proper input sanitization and validation for all user-supplied data, particularly in the NTP configuration interface. It is also recommended to avoid passing user-controlled input to functions that execute commands in the shell, and instead use parameterized system calls or safe APIs. Additionally, the execution context and privileges should be restricted, and allowlists for NTP server values should be established. Unnecessary debug functionality should be removed from production devices.