← ALL ADVISORIES

HIGH Disclosed

OS Command Injection via Web Interface

User-controlled CGI parameters and request-derived buffers are embedded into shell command strings and executed without sanitization.

CVE
CVE-2026-6822, CVE-2026-6259
Vendor
Inhand Networks
Product
5G Modem

Executive Summary

A firmware binary was analyzed for command-execution weaknesses The analysis confirmed 2 high-severity findings, both involving user-influenced network input embedded into shell command strings and executed via system/popen. Overall risk is High; remote exploitation is feasible from network-reachable paths.

Binary Profile

  • Security Flags: PIE (absent), NX (absent), stack_canary (absent), RELRO (absent)
  • Risk Level: High

Findings

1. CGI user Parameter Reaches system Command — High

  • Function: sub_407bcc @ 0x407bcc
  • CWE: CWE-78 — OS Command Injection
  • Category: command_injection
  • Reachability: reachable_from_network

Description

The function reads CGI parameter user using webcgi_get("user") and formats it into pam_tally2 -u %s -r with snprintf. The resulting string is executed with system, creating a direct shell injection surface. No strict allowlist validation of the substituted user value is performed in this function, so shell metacharacters can alter command behavior.

Taint Chain

webcgi_get("user") @ 0x407c10 -> $s1 <- result @ 0x407c20 -> snprintf(&var_110, 0x100, 0x4206e4, $s1) @ 0x407c68 -> system(&var_110) @ 0x407c78

Mitigations

  • Present: none
  • Absent: PIE, NX, stack_canary, RELRO, strict_input_allowlist

2. Captive Portal Request Slice Injected into system/popen — High

  • Function: get_captive_portal_auth @ 0x41b6c0
  • CWE: CWE-78 — OS Command Injection
  • Category: command_injection
  • Reachability: reachable_from_network

Description

A request-derived buffer (arg1) is offset (arg1 + 4) and inserted as %s into shell templates chilli_query list |grep %s and chilli_query authorize ip %s. These commands are executed by popen and system, respectively. Although credential checks exist (portal_lo_un/portal_lo_pw), the shell-substituted argument itself is not strictly validated, enabling command injection via crafted input.

Taint Chain

request-derived arg1 buffer ($s0 <- arg1 @ 0x41b6fc) -> $s2_1 <- $s0 + 4 @ 0x41b8f8 / 0x41b844 -> snprintf(..., 0x4252d4, $s2_1) @ 0x41b90c and snprintf(..., 0x425340, $s2_1) @ 0x41b860 -> system(command) @ 0x41b8c8 and popen(command) @ 0x41b924

Mitigations

  • Present: none
  • Absent: PIE, NX, stack_canary, RELRO, command_argument_validation