EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution

Title: EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
Advisory ID: ZSL-2017-5413
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 04.06.2017
Summary
With the EnGenius IoT Gigabit Routers and free EnShare app, use your iPhone, iPad or Android-based tablet or smartphone to transfer video, music and other files to and from a router-attached USB hard drive. Enshare is a USB media storage sharing application that enables access to files remotely. The EnShare feature allows you to access media content stored on a USB hard drive connected to the router's USB port in the home and when you are away from home when you have access to the Internet. By default the EnShare feature is enabled.
Description
EnGenius EnShare suffers from an unauthenticated command injection vulnerability. An attacker can inject and execute arbitrary code as the root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' script.
Vendor
EnGenius Technologies Inc. - https://www.engeniustech.com
Affected Version
ESR300 (1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28)
ESR350 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29)
ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50)
EPG5000 (1.3.9.21, 1.3.7.20, 1.3.3.17, 1.3.3, 1.3.2, 1.3.0, 1.2.0)
ESR900 (1.4.5, 1.4.3, 1.4.0, 1.3.5.18 build-12032015@liwei (5668b74), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0)
ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.1.0)
ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0)
Tested On
Linux 2.6.36 (mips)
Embedded HTTP Server ,Firmware Version 5.11
lighttpd/1.4.31
Vendor Status
[17.05.2017] Vulnerability discovered.
[28.05.2017] Contact with the vendor.
[03.06.2017] No reply from the vendor.
[04.06.2017] Public security advisory released.
[21.06.2017] Vendor releases version EPG5000 1.3.014-30, ESR600 1-4-12-64 and ESR900 1.4.6 to address this issue.
PoC
enshare_rce.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/42114/
[2] https://packetstormsecurity.com/files/142792
[3] https://cxsecurity.com/issue/WLB-2017060050
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/127026
[5] https://www.engeniusnetworks.eu/downloads?field_file_type_tid=27&title=ESR900
[6] https://www.engeniusnetworks.eu/downloads?field_file_type_tid=27&title=ESR600
[7] https://www.engeniusnetworks.eu/downloads?field_file_type_tid=27&title=EPG5000
[8] http://www.vfocus.net/art/20170606/13644.html
Changelog
[04.06.2017] - Initial release
[08.06.2017] - Added reference [1], [2] and [3]
[13.06.2017] - Added reference [4]
[22.06.2017] - Added vendor status and reference [5], [6] and [7]
[25.06.2017] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk