Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2018-10987
CVE-2018-10987
[Suggested description]
An issue was discovered on Dongguan Diqee Diqee360 vacuum cleaner devices.
The affected vacuum cleaners suffers from an authenticated remote code
execution vulnerability. An authenticated attacker can send a
specially crafted UDP packet, and execute commands on the vacuum
cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153).
A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an
attacker controlling the %s variable. In some cases, authentication
can be achieved with the default password of 888888 for the admin account.
------------------------------------------
[Additional Information]
Requirements:
Must know the UID, must know login-password. Standard combination of
easy credentials: admin:888888 - A remote attacker can exploit this
issue and execute arbitrary system commands granting system access
with root privileges to get system shell.
------------------------------------------
[VulnerabilityType Other]
Remote code execution
------------------------------------------
[Vendor of Product]
Dongguan Diqee Intelligent Co., Ltd
------------------------------------------
[Affected Product Code Base]
Diqee360 - any
------------------------------------------
[Affected Component]
Update wifi AP command
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
Authenticated attacker can send a specially crafted udp packet, and execute command on vacuum cleaner diqee 360 as root.
The bug are hide in function REQUEST_SET_WIFIPASSWD - udp command 153"
Special crafted udp packet runs /mnt/skyeye/mode_switch.sh %s, because attacker control %s variable.
------------------------------------------
[Reference]
http://facebook.com/neolead
http://ptsecurity.com
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Leonid Krolle(Positive Technologies), George Zaytsev(Positive Technologies)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment