A critical security vulnerability has been discovered in DrayTek devices, particularly the Vigor2960 and Vigor300B models, that could allow attackers to remotely execute arbitrary commands on affected devices. This vulnerability exists in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint of the Web Management Interface, which is susceptible to command injection. The flaw affects over 66,000 internet-connected devices, potentially giving attackers the ability to exploit the vulnerability and compromise entire networks. DrayTek devices running software version 1.5.1.4 are the most affected by this issue.
Exploiting this vulnerability requires attackers to manipulate the session parameter in a crafted HTTP request sent to the vulnerable endpoint. When the malicious request is processed by the device, it allows the attacker to inject commands into the system, which are then executed with elevated privileges. This could lead to the unauthorized access of devices, remote code execution, and the exposure of sensitive network data. The severity of this vulnerability is compounded by the widespread deployment of DrayTek devices in various environments.
Researchers have demonstrated a Python script that successfully exploits this flaw by creating a malformed HTTP request, bypassing typical HTTP processing and directly transmitting the request to the target device. In one example, the pwd command is injected, revealing the directory of the target system. A more sophisticated attack uses the ${IFS} (Input Field Separator) to bypass potential filters, allowing the attacker to access sensitive system configuration files. This highlights the potential for attackers to compromise critical data stored on the affected devices.
To protect against this vulnerability, security experts recommend implementing strict input validation and sanitization for all CGI script parameters to prevent malicious commands from being processed. Furthermore, organizations should limit access to the web management interface by restricting it to trusted IP addresses, reducing the exposure to unauthorized access attempts. Applying these measures can significantly mitigate the risks associated with this vulnerability and protect DrayTek devices from exploitation.
Reference:
