Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2018-10987
CVE-2018-10987
[Suggested description]
An issue was discovered on Dongguan Diqee Diqee360 vacuum cleaner devices.
The affected vacuum cleaners suffers from an authenticated remote code
execution vulnerability. An authenticated attacker can send a
specially crafted UDP packet, and execute commands on the vacuum
cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153).
A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an
attacker controlling the %s variable. In some cases, authentication
can be achieved with the default password of 888888 for the admin account.
------------------------------------------
[Additional Information]
Requirements:
Must know the UID, must know login-password. Standard combination of
easy credentials: admin:888888 - A remote attacker can exploit this
issue and execute arbitrary system commands granting system access
with root privileges to get system shell.
------------------------------------------
[VulnerabilityType Other]
Remote code execution
------------------------------------------
[Vendor of Product]
Dongguan Diqee Intelligent Co., Ltd
------------------------------------------
[Affected Product Code Base]
Diqee360 - any
------------------------------------------
[Affected Component]
Update wifi AP command
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
Authenticated attacker can send a specially crafted udp packet, and execute command on vacuum cleaner diqee 360 as root.
The bug are hide in function REQUEST_SET_WIFIPASSWD - udp command 153"
Special crafted udp packet runs /mnt/skyeye/mode_switch.sh %s, because attacker control %s variable.
------------------------------------------
[Reference]
http://facebook.com/neolead
http://ptsecurity.com
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Leonid Krolle(Positive Technologies), George Zaytsev(Positive Technologies)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.