Vulnerability Title : SAILOR Ku Software RCE and Privilege Escalation - Diagnostics report Vulnerability Summary : In Reporting page, We can exploit using OS Command Injection in sender and recipients input value Manufacturer : cobham Software Name : SAILOR VSAT Ku - Software 164B019 Version : 164B019 Software Type : IoT satllite equipment Vulnerability Type : OS Command Injection Impact : Remote Code Execution, Privilege Escalation Vulnerable File Name : acu_web Vulnerable Function Name : sub_219C4 Vulnerable Parameter : /c?ajaxMod=ajax_report&ajaxReq=set_reports&json={"rdiag":{"sender":"[email protected]","recipients":"[email protected]","interval":24}} Proof Of Concept :

Accessing the Reporting page in settings accessible by guest permissions.

Remove the disable property and obtain the packet that sent the arbitrary value using the burp suite.

Modify the object in the json parameter as shown in the image above and send request.

This allows you to use the Command Injection vulnerability to log in as admin with the password you changed.

Cause of vulnerability :

The sub_219C4 function does not validate the sender and recipients values when it receives an object whose key is cmd.

Unverified values are inserted into the string and executed as a system function.

Therefore, you can run any command on the system.

Exploitation scenario :

If the conditions are correct, you can run commands on the system and obtain administrative privileges. Attacker can access equipment connected on the same network or disable satellite equipment altogether.

Action plan :

If you have to use the system function, you should add filtering to prevent command injection.