tenda2

vendor:Tenda

product:G1,G3

version:V15.11.0.17(9502)_CN(G1), V15.11.0.17(9502)_CN(G3)

type:Remote Command Execution

author:Jinwen Zhou、Yifeng Li;

institution:potatso@scnu、feng@scnu

Vulnerability description

We found an Command Injection vulnerability and buffer overflow vulnerability in Tenda Technology Tenda's G1 and G3 routers with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted GET request.

Remote Command Injection vulnerability

In formSetUSBPartitionUmount function, the parameter "usbPartitionName" is not filter the string delivered by the user, so we can control the usbPartitionName such as "aaa;ping x.x.x.x;" to attack the OS.

PoC

Remote Command Injection

We set the value of usbPartitionName as aaa;ping x.x.x.x; and the router will excute ping command.

example.com/action/umountUSBPartition?usbPartitionName=aaa;ping x.x.x.x;

Guest Higgins2023/10/24 10:50:25

sunnyThakur

Guest Horton2023/10/24 10:51:02

200000$

Guest Horton2023/10/24 10:51:17

Black girl

Guest Zimmerman2024/03/31 14:16:39

Seymur

Guest Kennedy2024/03/31 14:16:48

Teymur