UTT Jinqi 750W formPdbUpConfig Command Injection and Buffer Overflow Vulnerability

Critical Vulnerability Information Vulnerability Title Buffer Overflow / Command Injection (insufficient input validation) in UTT Jinqi 750W /goform/formPdbUpConfig (Denial of Service / Potential RCE) Summary Vendor: UTT (AiTai) Product: Jinqi 750W Affected Firmware: <= v5v3.2.2-191225 Firmware Download: Link Vulnerability Type: Buffer Overflow / Command Injection / Insufficient Input Validation Impact: An unauthorized or authorized attacker (depending on device access and authentication configuration) can craft a malicious POST request to , exploiting the parameter. This parameter is not properly validated and is ultimately used in a system call (e.g., ), potentially leading to buffer overflow and/or command execution, causing device crash (DoS) or, under specific conditions, remote code execution. Technical Details After is covered, the tutorial demonstrates how to inject via the parameter and create a web-readable file. Proof of Concept (PoC) Send the following POST request to the device’s HTTP management interface (e.g., using ): Reproduction Steps 1. Ensure a Jinqi 750W device is running affected firmware (<= v5v3.2.2-191225) and its web management interface is accessible (e.g., ). 2. Use valid admin credentials if required. The PoC demonstrates Digest authentication headers; adjust to match the device’s authentication method. 3. Send a specially crafted request to containing a malicious value (refer to video PoC). 4. Observe one or more of the following: - Creation of a file in a writable location (e.g., ), indicating command execution. - HTTP service crash, process restart, or device reboot, indicating buffer overflow/DoS. - Any related logs or system information can be observed via serial console, SSH, or web interface. Code and Binary Analysis Summary Input handling lacks strict validation for (no length checks, no whitelist of valid values). User-controlled data is passed into a formatting context and eventually into a system call path (posing format string and shell command injection risks). Code likely uses unsafe formatting functions (e.g., , ) or constructs shell command strings for / without proper escaping. If the HTTP service runs with elevated privileges, exploitation could lead to severe consequences (file modification, privilege persistence, configuration tampering). Impact Immediate Impact: Remote attackers can crash the device (DoS) or execute arbitrary shell commands depending on firmware and environment. Further Risks: If the filesystem is writable and web-accessible areas can be modified, attackers may place webshells or scripts to achieve persistent access and lateral movement. Scope: All Jinqi 750W devices running affected firmware versions. Mitigation and Remediation Vendor/Firmware Fixes 1. Strict Input Validation: Implement whitelisting for and other parameters; enforce maximum length and acceptable character sets. 2. Avoid Shell-Based Command Construction: Replace shell command composition with safer APIs or calls that pass parameters as arrays, not as single shell-interpreted strings. 3. Use Secure Formatting Functions: Replace / with , and always validate buffer boundaries on writes. 4. Run Service with Least Privilege: Ensure the HTTP service runs with minimal privileges, unable to modify critical filesystem areas. 5. Static/Dynamic Analysis and Fuzzing: Add unit tests and fuzzing for HTTP parameter parsing and command execution paths. Administrator Mitigation Steps 1. Firmware Upgrade: Apply patches as soon as the vendor releases fixed firmware. 2. Restrict Management Access: Limit access to management interfaces via ACLs, VPN, or management VLAN; do not expose to the public internet. 3. Strengthen Authentication: Use strong passwords, disable default accounts, and change default management ports where possible. 4. Monitoring and Detection: Monitor for anomalous HTTP requests, unexpected file creation, or frequent process restarts; enable logging and alerting. Responsible Disclosure Recommendations 1. Submit a complete report to UTT (including PoC, screenshots, and reproduction steps). Request a 60-day initial response window for remediation. 2. After vendor confirms fix and releases firmware, publish a public advisory including mitigation steps and detection guidance. 3. If vendor does not respond, consider escalating to CERT or other coordinated disclosure channels. Disclose the vulnerability publicly only after a patch is widely available. Avoid releasing exploitable PoCs before a widely available patch is released.

Goal Reached Thanks to every supporter — we hit 100%!

UTT Jinqi 750W formPdbUpConfig Command Injection and Buffer Overflow Vulnerability

More from this source