H3C ACG1000-AK230 Command Injection Vulnerability

A command injection vulnerability has been identified in the H3C ACG1000-AK230 gateway, affecting versions through 20260227. The vulnerability resides in the web interface, specifically the file '/webui/?aaa_portal_auth_local_submit'. It allows remote attackers to inject arbitrary commands by manipulating the 'suffix' parameter, potentially leading to unauthorized execution of commands on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, which can result in unauthorized access to sensitive data, modification of critical files, and complete control over the server. This could turn the server into a 'zombie' or mining rig, and facilitate lateral movement within the internal network, disrupting corporate infrastructure and causing significant financial and reputational damage.

Reproduction

To reproduce this vulnerability, send a GET request to '/webui/?aaa_portal_auth_local_submit' with the 'bkg_flag' parameter set to '0' and the 'suffix' parameter containing the injected command, such as 'ls' redirected to a writable location like '/usr/local/webui/cyzz.txt'. After the command is executed, the results can be retrieved from the specified file.