Vulnerability Title : SAILOR Ku Software RCE and Privilege Escalation - Diagnostics report Vulnerability Summary : In Reporting page, We can exploit using OS Command Injection in sender and recipients input value Manufacturer : cobham Software Name : SAILOR VSAT Ku - Software 164B019 Version : 164B019 Software Type : IoT satllite equipment Vulnerability Type : OS Command Injection Impact : Remote Code Execution, Privilege Escalation Vulnerable File Name : acu_web Vulnerable Function Name : sub_21D24 Vulnerable Parameter : /c?ajaxMod=ajax_report&ajaxReq=set_reports&json={"rstat":{"sender":"[email protected]","recipients":"[email protected]","interval":0}} Proof Of Concept :

Untitled

Accessing the Reporting page in settings accessible by guest permissions.

Untitled

Untitled

Remove the disable property and obtain the packet that sent the arbitrary value using the burp suite.

Untitled

Modify the object in the json parameter as shown in the image above and send request.

Untitled

This allows you to use the Command Injection vulnerability to log in as admin with the password you changed.

Cause of vulnerability :

Untitled

The sub_21D24 function does not validate the sender and recipients values when it receives an object whose key is cmd.

Untitled

Unverified values are inserted into the string and executed as a system function.

Therefore, you can run any command on the system.

Exploitation scenario :

If the conditions are correct, you can run commands on the system and obtain administrative privileges. Attacker can access equipment connected on the same network or disable satellite equipment altogether.