| Title | Tenda W6-S V1.0.0.4(510) OS Command Injection |
|---|
| Description | Tenda's ate service (/bin/ate) which runs on port 7329 is vulnerable to pre-authentication command injection using a crafted UDP packet. The ate service can be enabled by a remote attacker on demand via endpoint /goform/ate in /bin/httpd.
We can enable ATE service via /goform/ate endpoint (associated to TendaAte handler) which doesn't require any form of authentication or identity verification.
To achieve command injection, send a crafted UDP packet to port 7329 after enabling ATE service.
In the code responsible for processing the content of UDP packets in /bin/ate, we notice that the pattern ifconfig;iwpriv is handled in a special way. The content is split on ; and each command is processed in the for loop. We notice that commands starting with impriv are executed using doSsytemCmd without any input sanitization thus giving us the ability to inject commands via iwpriv. |
|---|
| Source | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md |
|---|
| User | dwbruijn (UID 93926) |
|---|
| Submission | 12/28/2025 18:01 (3 months ago) |
|---|
| Moderation | 12/29/2025 10:20 (16 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 338644 [Tenda W6-S 1.0.0.4(510) ATE Service /goform/ate TendaAte os command injection] |
|---|
| Points | 20 |
|---|