An OS command injection vulnerability exists in the Reolink application, where an attacker can inject arbitrary OS commands through the folder name used in the application's temporary directory.
By manipulating the temporary folder name, through malicious code or similar methods, the attacker can insert arbitrary system commands into the OS-level commands executed by Reolink’s internal scheduler(coverCacheClearScheduler), which runs periodically. This can result in remote code execution(RCE).
This issue corresponds to CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
The application uses the following scheduler to execute certain functions periodically:
The scheduler is configured to run every day at 3:00 AM.
{
key: "clearCoverCacheRegularly",
value: function () {
if (this.coverCacheClearScheduler) {
var e = new Date(),
t = new Date(
e.getFullYear(),
e.getMonth(),
e.getDate(),
3,
0,
0,
).getTime();
(e.getTime() > t &&
(t = new Date(
e.getFullYear(),
e.getMonth(),
e.getDate() + 1,
3,
0,
0,
).getTime()),
this.coverCacheClearScheduler.add({
id: this.clearCoverCacheTaskId,
name: "clearCoverCache",
unit: r.ETaskUnit.DAY,
interval: 1,
args: !1,
execute: this.removeCoverCacheDir,
nextTime: t,
isInExact: !0,
}),
this.coverCacheClearScheduler.start());
}
},
}
The function executed by the scheduler constructs a shell command string using the following logic:
p(
"darwin" === process.platform
? "rm -rf ".concat(t)
: "rd /s /q ".concat(t),
function (t) {
//...
On Windows, this results in a command such as:
rd /s /q %LOCALAPPDATA%\\Temp\\reolink\\<TEMP_FOLDER>\\playback-covers
On macOS, the command becomes:
rm -rf ~/Library/Caches/reolink/<TEMP_FOLDER>/playback-covers
Since <TEMP_FOLDER> is not properly sanitized, an attacker can inject additional commands via folder name manipulation, leading to command execution:
rd /s /q %LOCALAPPDATA%\\Temp\\reolink\\& <COMMAND> &\\playback-covers
rm -rf ~/Library/Caches/reolink/& <COMMAND>; echo /playback-covers