CVE-2019-12182

An unauthenticated attacker on the same network sends crafted packets to the API on TCP port 4360. The attacker uses the `CMD_PREPARE_DATA` (1500) and `CMD_DATA` (1501) commands to upload a payload, then invokes `CMD_UPDATEFILE` (1700) with a filename containing `../../..` directory traversal sequences to write the payload to an arbitrary path such as `/mnt/mtdblock/data/test.sh` [ref_id=1]. Because the device executes scripts from that directory at boot, the attacker can achieve remote code execution by rebooting the device or by injecting shell metacharacters (`;`) into the filename field to trigger command injection [ref_id=1]. No authentication is required to access the API [ref_id=1].

The vulnerability resides in the administrative API running on port 4360 of Safescan Timemoto and TA-8000 series devices (firmware version 1.0). The `CMD_UPDATEFILE` handler (case 1700) does not sanitize the filename parameter for directory traversal sequences, and the `GetEnvFilePath` function concatenates the environment variable `USERDATAPATH` with the user-supplied filename without validation [ref_id=1]. This allows an unauthenticated remote attacker to write arbitrary files to any location on the device's filesystem, as the service runs as root [ref_id=1].

The advisory states that a fix was released in August 2019, but the patch content is not shown in the provided bundle [ref_id=1]. To remediate the vulnerability, the `CMD_UPDATEFILE` handler must validate and sanitize the user-supplied filename to reject directory traversal sequences (e.g., `../`) and shell metacharacters. Additionally, the `GetEnvFilePath` function should ensure the resulting path stays within an intended directory, and the API should require authentication before accepting file-write or command-execution requests [ref_id=1].