Vendor of the products:    Tenda

Vendor’s website:   https://www.tendacn.com/

Reported by:    Zhuang Haoran (1851805232@163.com)

Affected models and versions :

Tenda HG3 (HARD_VERSION=V2.0 , Version: 300003070)

Firmware download address:

https://www.tendacn.com/material/show/787197496692805

Overview

A remote code execution vulnerability exists in Tenda-HG3 series IoT devices. This security flaw is caused by the lack of effective parameter filtering and input validation mechanisms, where the device does not properly filter and restrict externally input parameters, resulting in unauthorized command concatenation risks. Malicious attackers can exploit this vulnerability to gain unauthorized access to the device's internal system interfaces, and further execute arbitrary code on the target IoT device, which may lead to the device being controlled, abnormal operation, and other serious security threats.

Vulnerability details

When the URL is, /boaform/formTracert , call function pointers according to the formTracert

图片.png

图片.png

these args without any filter, were splicing into cmd

图片.png

in the end , the string cmd as the fifth parameter of the va_cmd function

the fourth parameter is ‘c’

the define of va_cmd is in the /lib/libmib.so

图片.png

图片.png