Vendor: SGAI
Affected products: Space1 NAS - N1211DS ≤ v1.0.915
Vendor Homepage: https://www.aigyzn.com/
Vendor contact information: https://www.aigyzn.com/contact/ - sgai@aigyzn.com
The SGAI Space1 NAS (model N1211DS, firmware version v1.0.915) contains an unauthorized remote command execution vulnerability caused by command injection. An attacker who has not verified their identity can rename a file or directory containing a malicious command filename through the RENAME_FILEcommand interface, thereby triggering a command injection vulnerability and gaining the highest control privileges on the remote target NAS device.
The vulnerability is located in the binary file gsaiagent.
In the sub_2AC28 function corresponding to the RENAME_FILE command interface, the newName field is retrieved.
And then, integrate it into the complete path.
After the existence check is performed, the sub_29E3C function is invoked, and it is passed as an argument.
In this case, the path containing newName is directly appended into the command for execution without any filtering or checking.
Therefore, there is an unauthorized command injection vulnerability here, which can inject malicious commands into the newName field, resulting in arbitrary command execution on the remote target device, thereby gaining ultimate control of the remote target NAS device.