| عنوان | Tenda AC20 V16.03.08.12 Command Injection |
|---|
| الوصف | A remote command execution vulnerability exists in the Tenda AC20 router (firmware V16.03.08.12), allowing attackers to activate the telnet service via a specific HTTP endpoint. The vulnerability resides in the TendaTelnet function, which directly executes system commands to start the telnet service without proper input sanitization, enabling attackers to gain interactive shell access to the router and execute arbitrary commands.
The vulnerability stems from the TendaTelnet function, which is bound to the /goform/telnet endpoint via websFormDefine("telnet", TendaTelnet);. This function is designed to control the telnet service of the router but lacks essential input sanitization for system commands. The function's execution flow directly triggers system commands to enable and start the telnet service, allowing attackers to exploit it via a crafted HTTP request.
Key operations in the TendaTelnet function are as follows:
1.Parameter Retrieval: The function calls GetValue("lan.ip", v17) to obtain the router's LAN IP address, stored in the v17 buffer.
2.Console Activation: It enables the system console via console_control(1) and sets the console_switch configuration to enable using SetValue, followed by committing the configuration with CommitCfm().
3.Telnet Service Management:
It first terminates any existing telnet service instances with system("killall -9 telnetd").
It then starts a new telnet service bound to the retrieved LAN IP via doSystemCmd("telnetd -b %s &", (const char *)v17), where %s is replaced with the LAN IP from v17.
4.Response: The function returns a success message "load telnetd success." via websWrite with a 200 HTTP status code.
Critical issues in this flow:
Activation of telnetd allows attackers to connect to the router's telnet service and execute arbitrary system commands with root privileges (typical for router environments). |
|---|
| المصدر | ⚠️ https://github.com/ZZ2266/.github.io/blob/main/AC20/telnet/readme.md |
|---|
| المستخدم | n0ps1ed (UID 88889) |
|---|
| ارسال | 12/08/2025 05:52 AM (10 أشهر منذ) |
|---|
| الاعتدال | 16/08/2025 08:06 AM (4 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 320358 [Tenda AC20 16.03.08.12 Telnet Service /goform/telnet websFormDefine تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|