Command injection and stack overflow in the Qualcomm QCMAP Web Interface leads to remote code execution
Qualcomm QCMAP (closed source)
QCMAP before October 2020
Remote code execution can happen by sending a carefully crafted POST query when Device configuration is accessed from a tethered client through webserver due to lack of array bound check.
The issue resides in the QCMAP_ConnectionManager
binary.
Part of the basic functionality of the media server is to allow the user to set media directories to publish from. This can be done, for example, via the web interface.
At the implementation level, the CGI handler at cgi-bin/qcmap_web_cgi
passes data from the web form to the QCMAP_Web_CLIENT
binary which parses the request. The sent data is expected to be in the format var1=val1&var2=val2& var3=val3…
. The first variable is expected to be the page
variable. If it is set to SetMediaDir
the code parses the next variables to set the DLNA media directory. It then sends the variables to the QCMAP_ConnectionManager
binary, which takes care of the request in the function qmi_qcmap_msgr_set_dlna_media_dir
and passes it to QCMAP_MediaService::SetDLNAMediaDir
. In this function, the code splits the sent directory by the ,
character, and for each portion, it calls snprintf
to create a command, which is then sent as an argument to the system
function. There is no check on the user input to make sure that it doesn’t include malicious characters, thus it is possible to pass a string with shell metacharacters (such as ;
) and run arbitrary commands.
http://x.x.x.x/cgi-bin/qcmap_web_cgi?page=SetMediaDir&dir=fakedir;sleep%2010
No vulnerability mitigations are supplied for this issue
(JFrog) Vulnerabilities Discovered in Qualcomm QCMAP enable remote root access