Summary

A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument handling using eval, allowing shell command injection when attacker-controlled input is included in arguments forwarded from management actions.

An authenticated remote attacker with access to the device management interface can exploit this issue to execute arbitrary shell commands on the device.

Classification

• Vulnerability type: OS command injection / eval injection
• CWE: CWE-78, Improper Neutralization of Special Elements used in an OS Command

Affected Product

• Vendor: Beijing Panabit Network Software Co., Ltd
• Product: PanabitAP PAP-XM320
• Affected versions: up to and including V7.7
• Firmware download reference: https://download.panabit.com:9443/?product=ap

Affected Components

• Backend helper: /usr/sbin/pappiw
• Web management CGI actions that forward user-controlled arguments to pappiw
• Confirmed affected actions:
  • /cgi-bin/iwan/ajax_iwanset, action=addsta, mac parameter
  • /cgi-bin/sys/ajax_syscfg, action=setapmode, apmode parameter

Vulnerability Details

The backend helper processes arguments using unsafe shell evaluation logic. The vulnerable argument handling pattern is equivalent to shifting the argument list and then evaluating the remaining attacker-influenced argument string with the shell.

shift
eval "$*"

When CGI handlers forward user-controlled values to this helper, shell metacharacters in those values can be interpreted by the shell instead of being treated as data.

The addsta action is a confirmed example. A user-controlled mac value is passed into the backend helper and can be used to inject an additional shell command. The setapmode action shows the same class of issue through the apmode parameter.