| Título | WAYOS FBM220G and others 24.10.19 Command Injection |
|---|
| Descripción | A command injection vulnerability exists in WAYOS FBM220G and other related models running firmware version FBM_220G-24.10.19V-vue-aiv3.trx. The vulnerability is located in the `sub_40F820` function within the `rc` binary. When processing configuration items such as `upnp_waniface`, `upnp_ssdp_interval`, and `upnp_max_age`, the program retrieves their values using `nvram_get` without proper sanitization. These values are then concatenated into a shell command string via `snprintf` and executed through `jhl_system`. An attacker who can tamper with the relevant configuration parameters may inject arbitrary commands, potentially leading to remote code execution and full device compromise.
|
|---|
| Fuente | ⚠️ https://github.com/glkfc/IoT-Vulnerability/blob/main/wayos/wayos.md |
|---|
| Usuario | jfkk (UID 79868) |
|---|
| Sumisión | 2026-01-31 15:36 (hace 3 meses) |
|---|
| Moderación | 2026-02-15 17:04 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 346157 [WAYOS FBM-220G 24.10.19 rc sub_40F820 upnp_waniface/upnp_ssdp_interval/upnp_max_age escalada de privilegios] |
|---|
| Puntos | 20 |
|---|