| タイトル | Tenda W6-S V1.0.0.4(510) OS Command Injection |
|---|
| 説明 | Tenda's ate service (/bin/ate) which runs on port 7329 is vulnerable to pre-authentication command injection using a crafted UDP packet. The ate service can be enabled by a remote attacker on demand via endpoint /goform/ate in /bin/httpd.
We can enable ATE service via /goform/ate endpoint (associated to TendaAte handler) which doesn't require any form of authentication or identity verification.
To achieve command injection, send a crafted UDP packet to port 7329 after enabling ATE service.
In the code responsible for processing the content of UDP packets in /bin/ate, we notice that the pattern ifconfig;iwpriv is handled in a special way. The content is split on ; and each command is processed in the for loop. We notice that commands starting with impriv are executed using doSsytemCmd without any input sanitization thus giving us the ability to inject commands via iwpriv. |
|---|
| ソース | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md |
|---|
| ユーザー | dwbruijn (UID 93926) |
|---|
| 送信 | 2025年12月28日 18:01 (3 月 ago) |
|---|
| モデレーション | 2025年12月29日 10:20 (16 hours later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 338644 [Tenda W6-S 1.0.0.4(510) ATE Service /goform/ate TendaAte 特権昇格] |
|---|
| ポイント | 20 |
|---|