/CVE-2018-10987.txt
Created Jun 20, 2018
| CVE-2018-10987 | |
| [Suggested description] | |
| An issue was discovered on Dongguan Diqee Diqee360 vacuum cleaner devices. | |
| The affected vacuum cleaners suffers from an authenticated remote code | |
| execution vulnerability. An authenticated attacker can send a | |
| specially crafted UDP packet, and execute commands on the vacuum | |
| cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). | |
| A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an | |
| attacker controlling the %s variable. In some cases, authentication | |
| can be achieved with the default password of 888888 for the admin account. | |
| ------------------------------------------ | |
| [Additional Information] | |
| Requirements: | |
| Must know the UID, must know login-password. Standard combination of | |
| easy credentials: admin:888888 - A remote attacker can exploit this | |
| issue and execute arbitrary system commands granting system access | |
| with root privileges to get system shell. | |
| ------------------------------------------ | |
| [VulnerabilityType Other] | |
| Remote code execution | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| Dongguan Diqee Intelligent Co., Ltd | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| Diqee360 - any | |
| ------------------------------------------ | |
| [Affected Component] | |
| Update wifi AP command | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [Impact Code execution] | |
| true | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| Authenticated attacker can send a specially crafted udp packet, and execute command on vacuum cleaner diqee 360 as root. | |
| The bug are hide in function REQUEST_SET_WIFIPASSWD - udp command 153" | |
| Special crafted udp packet runs /mnt/skyeye/mode_switch.sh %s, because attacker control %s variable. | |
| ------------------------------------------ | |
| [Reference] | |
| http://facebook.com/neolead | |
| http://ptsecurity.com | |
| ------------------------------------------ | |
| [Has vendor confirmed or acknowledged the vulnerability?] | |
| true | |
| ------------------------------------------ | |
| [Discoverer] | |
| Leonid Krolle(Positive Technologies), George Zaytsev(Positive Technologies) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment