| Title | Tenda AC21 V16.03.08.16 Command Injection |
|---|
| Description | During a security review of the application, a critical stored command injection vulnerability was discovered in the “/goform/mDMZSetCfg” endpoint (or `/goform/DmzSetCfg` depending on the exact route). The vulnerability is located within the `mDMZSetCfg` function.
This function handles the configuration of the DMZ (Demilitarized Zone) feature. It retrieves the `dmzIp` parameter from the user's request. Although the code calls `inet_addr(cp)` on the input, this function is primarily used to convert an IP string to an integer for comparison against the LAN IP (to prevent setting the gateway itself as the DMZ host). Crucially, `inet_addr` is not a strict validator; it parses the initial valid IPv4 part of the string and often ignores trailing characters or returns `-1` for invalid inputs.
Because the code does not strictly validate that the input contains *only* a valid IP address, an attacker can append shell commands (e.g., `x.x.x.x\nreboot`) to the input. This tainted string is then stored in the system's NVRAM via `SetValue("wan1.dmzip", cp)`. Subsequently, a message (`advance_type=1`) is sent to the backend `netctrl` service. The backend service reads this stored value and uses it to construct a firewall command (e.g., `iptables`), resulting in the execution of the injected commands with Root privileges.
|
|---|
| Source | ⚠️ https://github.com/LX-LX88/cve/issues/26 |
|---|
| User | LX-LX (UID 91683) |
|---|
| Submission | 01/16/2026 17:15 (5 months ago) |
|---|
| Moderation | 01/29/2026 17:56 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 343417 [Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16 /goform/mDMZSetCfg dmzIp command injection] |
|---|
| Points | 20 |
|---|