type:Remote Command Execution
author:Jinwen Zhou、Yifeng Li;
## Vulnerability description
We found an Command Injection vulnerability and buffer overflow vulnerability in Tenda Technology Tenda's **G1 and G3** routers with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted GET request.
### Remote Command Injection vulnerability
In **formSetUSBPartitionUmount** function, the parameter **"usbPartitionName"** is not filter the string delivered by the user, so we can control the **usbPartitionName** such as **"aaa;ping x.x.x.x;"** to attack the OS.
### Remote Command Injection
We set the value of **usbPartitionName** as **aaa;ping x.x.x.x;** and the router will excute **ping** command.