| Titolo | LBlink BL-AC3600 1.0.22 Command Injection |
|---|
| Descrizione | BL-AC3600
Version 1.0.22
The password modification function lacks content filtering, resulting in a command injection vulnerability.
Technical Analysis:
● v8 is a pointer to the routepwd field
● v9 represents the user-input value
● The strcpy function copies the value of v9 to v37
● easy_uci_set_option_string_0 concatenates "chpasswd.sh root" with v37 and passes it to v36
● The concatenated string is directly executed by the system function
●
Proof of Concept:
1. Craft malicious request packet
2. Observe "Operation Successful" response
3. Successfully establish reverse shell
Vulnerability Validation:
Command injection confirmed through reverse shell acquisition.
|
|---|
| Fonte | ⚠️ https://github.com/GrayLxton/BLink_poc |
|---|
| Utente | Gray (UID 84168) |
|---|
| Sottomissione | 16/04/2025 21:15 (1 Anno fa) |
|---|
| Moderazione | 29/04/2025 07:43 (12 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 306513 [LB-LINK BL-AC3600 fino a 1.0.22 Password /cgi-bin/lighttpd.cgi easy_uci_set_option_string_0 routepwd escalationi di privilegi] |
|---|
| Punti | 20 |
|---|