Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
31 lines (15 sloc) 976 Bytes

vendor:Tenda

product:AC9 AC7 AC10 and so on

version:V15.03.05.19(6318)_CN(AC9), V15.03.06.44_CN(AC7), V15.03.06.23_CN(AC10) and earlier

type:Command Injection vulnerability

author:Zhang Shao Jie

institution:NISL@Tsinghua University

Vulnerability description

Command Injection vulnerability on Shenzhen Tenda Ac9 V15.03.05.19(6318)_CN(AC9), V15.03.06.44_CN(AC7), V15.03.06.23_CN(AC10) and earlier devices allows attackers to execute arbitrary OS commands via a crafted goform/setUsbUnload request . This occurs because the " formsetUsbUnload" function executes a dosystemCmd function with untrusted input

image

POC

image

This PoC can result in a Dos.

p.s.Given the vendor's security, we only provide parts of the URL.