| 제목 | Tenda W6-S V1.0.0.4(510) OS Command Injection |
|---|
| 설명 | Tenda's ate service (/bin/ate) which runs on port 7329 is vulnerable to pre-authentication command injection using a crafted UDP packet. The ate service can be enabled by a remote attacker on demand via endpoint /goform/ate in /bin/httpd.
We can enable ATE service via /goform/ate endpoint (associated to TendaAte handler) which doesn't require any form of authentication or identity verification.
To achieve command injection, send a crafted UDP packet to port 7329 after enabling ATE service.
In the code responsible for processing the content of UDP packets in /bin/ate, we notice that the pattern ifconfig;iwpriv is handled in a special way. The content is split on ; and each command is processed in the for loop. We notice that commands starting with impriv are executed using doSsytemCmd without any input sanitization thus giving us the ability to inject commands via iwpriv. |
|---|
| 원천 | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md |
|---|
| 사용자 | dwbruijn (UID 93926) |
|---|
| 제출 | 2025. 12. 28. PM 06:01 (3 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 29. AM 10:20 (16 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 338644 [Tenda W6-S 1.0.0.4(510) ATE Service /goform/ate TendaAte 권한 상승] |
|---|
| 포인트들 | 20 |
|---|