Vendor of the products: Tenda
Vendor’s website: https://www.tendacn.com/
Reported by: Zhuang Haoran (1851805232@163.com)
Affected models and versions :
Tenda HG3 (HARD_VERSION=V2.0 , Version: 300003070)
Firmware download address:
https://www.tendacn.com/material/show/787197496692805
An remote code execution exists in Tenda-HG3 IoT devices . This vulnerability is caused by no No filter parameters errors, leading to command concatenation. Attackers can exploit this vulnerability to access internal interfaces, thereby execute arbitrary code on IoT.
When the URL prefix is /boaform/formCountrystr , call function pointer according to the formCountrystr field
Without any filter parameters, they were concatenated into the command
when we make the countrystr by ‘$(<command>)’
the command will enforced with root
curl -i 'http://127.0.0.1:8088/boaform/formCountrystr' -H 'Content-Type: application/x-www-form-urlencoded' --data 'countrystr=;id>/web_home/httpd/web/a.html;'
