CVE-2020-21992

Description

Inim Electronics SmartLiving SmartLAN/G/SI <=6.x suffers from an authenticated remote command injection vulnerability. The issue exist due to the 'par' POST parameter not being sanitized when called with the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit LSB executable, ARM) is calling the 'sh' executable via the system() function to issue a command using the mailx service and its vulnerable string format parameter allowing for OS command injection with root privileges. An attacker can remotely execute system commands as the root user using default credentials and bypass access controls in place.

Related CPE's

oinimsmartliving_505_firmware********
vulnerable
hinimsmartliving_505-*******
oinimsmartliving_515_firmware********
vulnerable
hinimsmartliving_515-*******
oinimsmartliving_1050_firmware********
vulnerable
hinimsmartliving_1050-*******
oinimsmartliving_1050g3_firmware********
vulnerable
hinimsmartliving_1050g3-*******
oinimsmartliving_10100l_firmware********
vulnerable
hinimsmartliving_10100l-*******

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php

ExploitThird Party Advisory

CvssV3 impact

BaseSeverity

HIGH

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

LOW

BaseScore

8.8

VectorString

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

COMPLETE

AvailabilityImpact

COMPLETE

IntegrityImpact

COMPLETE

BaseScore

9

VectorString

AV:N/AC:L/Au:S/C:C/I:C/A:C

Version

2.0

AccessVector

NETWORK

Authentication

SINGLE