Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_IP_Addr command injection

The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = ip_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address

system(v4);

return 1;

}