| Название | Tenda W6-S V1.0.0.4(510) OS Command Injection |
|---|
| Описание | Tenda's ate service (/bin/ate) which runs on port 7329 is vulnerable to pre-authentication command injection using a crafted UDP packet. The ate service can be enabled by a remote attacker on demand via endpoint /goform/ate in /bin/httpd.
We can enable ATE service via /goform/ate endpoint (associated to TendaAte handler) which doesn't require any form of authentication or identity verification.
To achieve command injection, send a crafted UDP packet to port 7329 after enabling ATE service.
In the code responsible for processing the content of UDP packets in /bin/ate, we notice that the pattern ifconfig;iwpriv is handled in a special way. The content is split on ; and each command is processed in the for loop. We notice that commands starting with impriv are executed using doSsytemCmd without any input sanitization thus giving us the ability to inject commands via iwpriv. |
|---|
| Источник | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md |
|---|
| Пользователь | dwbruijn (UID 93926) |
|---|
| Представление | 28.12.2025 18:01 (3 месяцы назад) |
|---|
| Модерация | 29.12.2025 10:20 (16 hours later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 338644 [Tenda W6-S 1.0.0.4(510) ATE Service /goform/ate TendaAte эскалация привилегий] |
|---|
| Баллы | 20 |
|---|