Overview

A remote code execution (RCE) vulnerability exists in multiple JD Cloud Wireless Treasure IoT devices, posing a severe security risk to affected equipment. The root cause of this flaw lies in the lack of proper input validation, filtering, and sanitization for externally controllable command parameters within the device’s service interface. These untrusted parameters are directly concatenated into system command-line arguments without any restriction on special shell metacharacters or command separators, creating a straightforward command injection vector. Exploiting this vulnerability, remote attackers can craft and send maliciously constructed request messages to the vulnerable service interface exposed by the target device. By injecting arbitrary operating system commands into the parameter fields, they can achieve unauthorized code execution on the underlying system of the compromised IoT device, fully taking control of the device and performing malicious operations at will.

Vulnerability details

When the URL is /jdcapi and the request body JSON carries the set_iptv_info field, call function pointers according to the jdcapi_static_web_get_ddns_status(0x1897C) from /sbin/jdcweb_rpc

图片.png

Then the function will get parameters enable , vlan_enable , vid, port , priority from JSON request body

图片.png

While :

enable is 1 or 0
vlan_enable is 1 or 0
1 <= vid <= 4094
0 <= port <= 7
1 <= priority <= 5