CVE-2018-10987

An issue was discovered on Dongguan Diqee Diqee360 devices. The affected vacuum cleaner suffers from an authenticated remote code execution vulnerability. An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs "/mnt/skyeye/mode_switch.sh %s" with an attacker controlling the %s variable. In some cases, authentication can be achieved with the default password of 888888 for the admin account.

CVSS v3 7.5 HIGH
CVSS v2.0 8.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability : 6.8 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://gist.github.com/neolead/10b27c5c04bca84a5515783ca6f2ecb4#file-cve-2018-10987-txt	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:diqee:diqee360_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:diqee:diqee360:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-07-05 20:29

Updated : 2024-02-28 16:25

NVD link : CVE-2018-10987

Mitre link : CVE-2018-10987

CVE.ORG link : CVE-2018-10987

JSON object : View

Products Affected

diqee

diqee360_firmware
diqee360

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2018-10987", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2018-07-05T20:29:00.323", "references": [{"url": "https://gist.github.com/neolead/10b27c5c04bca84a5515783ca6f2ecb4#file-cve-2018-10987-txt", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Dongguan Diqee Diqee360 devices. The affected vacuum cleaner suffers from an authenticated remote code execution vulnerability. An authenticated attacker can send a specially crafted UDP packet, and execute commands on the vacuum cleaner as root. The bug is in the function REQUEST_SET_WIFIPASSWD (UDP command 153). A crafted UDP packet runs \"/mnt/skyeye/mode_switch.sh %s\" with an attacker controlling the %s variable. In some cases, authentication can be achieved with the default password of 888888 for the admin account."}, {"lang": "es", "value": "Se ha descubierto un problema en dispositivos Dongguan Diqee Diqee360. La aspiradora afectada sufre de una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo autenticada. Un atacante autenticado puede enviar un paquete UDP especialmente manipulado y ejecutar comandos en la aspiradora como root. El error est\u00e1 en la funci\u00f3n REQUEST_SET_WIFIPASSWD (comando UDP 153). Un paquete UDP manipulado ejecuta \"/mnt/skyeye/mode_switch.sh %s\" mientras un atacante controla la variable %s. En algunas situaciones, la autenticaci\u00f3n puede lograrse mediante la contrase\u00f1a por defecto 888888 para la cuenta de administrador."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:diqee:diqee360_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF2397C7-AF72-4C9C-84D7-CD89F31B19B3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:diqee:diqee360:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A821DEA3-6C34-423D-9A38-80A6F4A68BF5"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}