I’m sitting around the house on a rainy Saturday, hacking on IoT (Internet of Things) devices (that I own) and discovered these command injection vulnerabilities. 🙂
The first command injection vulnerability was blind. I started up Wireshark and filtered on icmp and saw the pings. I removed the PHPSESSID from the cookie and the exploit worked without authentication.
This command injection vulnerability was a little easier to find due to the run_cmd in the response. It was so gratifying to see “root” printed on the screen!
I removed the PHPSESSID from the cookie and resubmitted the request from another computer and got unauthenticated command injection.
I’ve disclosed these vulnerabilities to the manufacturer and will provide an update with full disclosure after they have had time to fix the issues.