CVE-2022-36603

An attacker must first authenticate to the InnoSilicon miner (e.g., using the undocumented guest/guest account [ref_id=1]) and obtain a valid JWT. Once authenticated, the attacker sends a crafted request to the `/api/checkUrl` endpoint with a payload containing shell metacharacters in the URL parameter. Because the older firmware does not use `escapeshellcmd()` [ref_id=1], the unsanitized input is passed directly to `shell_exec()`, allowing arbitrary OS commands to be executed on the device.

The vulnerable code is in the `checkUrl` function within the InnoSilicon web interface (`/usr/share/factory/www`). The old version used `$ping_cmd = "ping ".$ping_url." -c 5";` without sanitization, while the newer version wraps the input with `escapeshellcmd()` [ref_id=1]. The route was defined as `$router->get('/api/checkUrl', 'Status','checkUrl');` in the API router (`/usr/share/factory/www/webif/index.php`) and was later commented out [ref_id=1].

The patch adds `escapeshellcmd()` around the user-supplied `$ping_url` variable before passing it to `shell_exec()` [ref_id=1]. In the vulnerable version the command was `$ping_cmd = "ping ".$ping_url." -c 5";` while the fixed version uses `$ping_cmd = escapeshellcmd("ping ".$ping_url." -c 5");` [ref_id=1]. This prevents shell metacharacters from being interpreted as command separators or operators. Notably, even after applying this fix, the vendor also commented out the checkUrl route in the API router, suggesting they no longer trust the endpoint [ref_id=1].