Netcore Power 15AX Command Injection Vulnerability in Diagnostic Tool Interface

A command injection vulnerability has been identified in the Netcore Power 15AX router, specifically in the firmware version 3.0.0.6938. The issue arises within the diagnostic tool interface, in the 'setTools' function of the '/bin/netis.cgi' file. The vulnerability is due to inadequate input filtering of the 'IpAddr' parameter, which allows for the execution of arbitrary operating system commands with root privileges. This flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected device. This could lead to unauthorized access to sensitive files, modification of system configurations, installation of malicious software, and potential disruption of network services. Additionally, similar vulnerabilities in other IoT devices have been exploited to gain access to internal networks.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/skk_set.cgi' endpoint with the 'diagnostic' parameter set to '1', the 'IpAddr' parameter containing a crafted payload that includes command substitution (such as '127.0.0.1$(id>/tmp/pwned)'), and the 'type' parameter set to '1'. This request can be made using cURL or similar tools.

Remediation

Users are advised to disable WAN-side management interfaces, restrict management access to trusted IP addresses, use strong authentication credentials, and monitor system logs for suspicious activity. Consider replacing the device with a more secure alternative.