Overview
Signal 11 identified a command injection vulnerability affecting NetComm routers running firmware versions up to and including R6B031.
The vulnerability exists in the dalStorage_addUserAccount function, where the username JSON property is unsafely concatenated into a shell command. The resulting command string is then passed to rut_doSystemAction, which ultimately invokes a system-level command execution path.
[...]
sprintf(
acStack_160,
"mkdir /mnt/%s/%s",
*(undefined4 *)(local_24[0] + 0xc),
*(undefined4 *)(local_24[0] + 4) // [1]
);
rut_doSystemAction("storage:useraccount", acStack_160);
cmsObj_free(local_24);
[...]
// [1] User-controlled username value is concatenated into the command string.Exploitation requires valid authentication. However, once authenticated, an attacker can submit crafted input that is processed insecurely by the device.
Successful exploitation allows arbitrary command execution as root on the affected router.
Affected Products
The issue affects the following models:
- NF20MESH
It’s possible that other devices may also be affected.
Impact
Successful exploitation may allow a remote attacker to:
- Execute arbitrary commands on the target device
- Access sensitive configuration data
- Modify application behavior or system state
Remediation
Users with affected devices should apply vendor-provided fixes (version R6B032) as soon as practical.
Where immediate patching is not possible, the following mitigations may reduce exposure:
- Change default passwords for all user accounts
- Prevent direct exposure of affected devices to the public internet
- Segment affected devices from sensitive internal assets