| Titel | LBlink BL-AC3600 1.0.22 Command Injection |
|---|
| Beschreibung | BL-AC3600
Version 1.0.22
The password modification function lacks content filtering, resulting in a command injection vulnerability.
Technical Analysis:
● v8 is a pointer to the routepwd field
● v9 represents the user-input value
● The strcpy function copies the value of v9 to v37
● easy_uci_set_option_string_0 concatenates "chpasswd.sh root" with v37 and passes it to v36
● The concatenated string is directly executed by the system function
●
Proof of Concept:
1. Craft malicious request packet
2. Observe "Operation Successful" response
3. Successfully establish reverse shell
Vulnerability Validation:
Command injection confirmed through reverse shell acquisition.
|
|---|
| Quelle | ⚠️ https://github.com/GrayLxton/BLink_poc |
|---|
| Benutzer | Gray (UID 84168) |
|---|
| Einreichung | 16.04.2025 21:15 (vor 1 Jahr) |
|---|
| Moderieren | 29.04.2025 07:43 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 306513 [LB-LINK BL-AC3600 bis 1.0.22 Password /cgi-bin/lighttpd.cgi easy_uci_set_option_string_0 routepwd erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|