Key Information Vulnerability Title: EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution Type: Local/Remote Impact: System Access CVE ID: CVE-2017-9586 Release Date: 04.06.2017 Vulnerability Description EnGenius EnShare contains an unauthenticated command injection vulnerability. Attackers can inject and execute arbitrary code as the root user by manipulating the 'path' GET/POST parameter in the 'usbinteract.cgi' script. Affected Versions ESR300 (1.4.8, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28) ESR900 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29) ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50) EPS5000 (1.3.1.21, 1.3.1.20, 1.3.1.19, 1.3.1.18 (build 1032015@Intel (6668b74)), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0) ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0) ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0) Test Environment Linux 2.6.36 (mips) Embedded HTTP Server, Firmware Version 5.11 lighttpd 1.4.31 Vendor Status 2017-05-17: Vulnerability discovered 2017-05-28: Vendor contacted 2017-06-03: Response received from vendor 2017-06-04: Security advisory published 2017-06-21: Vendor released fixed versions: EPS5000 1.3.014-30, ESR600 1.4-12-64, and ESR900 1.4.6 PoC enshare_rce.py Discoverer Gjoko Krstic - Reference Links 1. https://www.exploit-db.com/exploits/42114/ 2. https://packetstormsecurity.com/files/142706/ 3. https://ics-cert.us-cert.gov/advisories/ICSA-17-163-03 4. http://www.securityfocus.com/bid/98685/info 5. https://www.engeniustnetworks.eu/downloads?field_file_type_tid=27&title=ESR900 6. https://www.engeniustnetworks.eu/downloads?field_file_type_tid=27&title=ESR600 7. https://www.engeniustnetworks.eu/downloads?field_file_type_tid=27&title=EPS5000 8. http://www.vtcous.net/artn2017060613644.html 9. https://badpackets.net/engenius-routers-found-in-mirai-like-botnet/