CVE-2018-10987
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2018-10987 | |
[Suggested description] | |
An issue was discovered on Dongguan Diqee Diqee360 vacuum cleaner devices. | |
The affected vacuum cleaners suffers from an authenticated remote code | |
execution vulnerability. An authenticated attacker can send a | |
specially crafted UDP packet, and execute commands on the vacuum | |
cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). | |
A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an | |
attacker controlling the %s variable. In some cases, authentication | |
can be achieved with the default password of 888888 for the admin account. | |
------------------------------------------ | |
[Additional Information] | |
Requirements: | |
Must know the UID, must know login-password. Standard combination of | |
easy credentials: admin:888888 - A remote attacker can exploit this | |
issue and execute arbitrary system commands granting system access | |
with root privileges to get system shell. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
Dongguan Diqee Intelligent Co., Ltd | |
------------------------------------------ | |
[Affected Product Code Base] | |
Diqee360 - any | |
------------------------------------------ | |
[Affected Component] | |
Update wifi AP command | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
Authenticated attacker can send a specially crafted udp packet, and execute command on vacuum cleaner diqee 360 as root. | |
The bug are hide in function REQUEST_SET_WIFIPASSWD - udp command 153" | |
Special crafted udp packet runs /mnt/skyeye/mode_switch.sh %s, because attacker control %s variable. | |
------------------------------------------ | |
[Reference] | |
http://facebook.com/neolead | |
http://ptsecurity.com | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Leonid Krolle(Positive Technologies), George Zaytsev(Positive Technologies) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment