A command injection occurs in the input validation stage of a function where a user controlled input is injected. In the case of Tenda AC1200 Router Model W15Ev2, the input validation of the PortMappingServer parameter is performed using the Len function. A successful exploitation would cause the router to crash and reboot. The crash and reboot may occur during the initialization of the router or during the execution of a scheduled task. This type of vulnerability is especially dangerous when combined with a race condition as it can be exploited at will. The specific crash and reboot can be controlled by injecting a specific character string.
In the case of Tenda AC1200 Router Model W15Ev2, the following crash and reboot can be controlled by injecting the following string:
A race condition exists in the command validation stage of the PortMappingServer parameter in Tenda AC1200 Router Model W15Ev2. The input validation will normally look for an invalid length for the input. In the case of Tenda AC1200 Router Model W15Ev2, the input validation will normally check for an integer value of 26. However, if the router is configured to allow port forwarding, any length above 5 can be used. So if the router receives an incoming packet with length 26, the router will fail the validation and reject the packet. But if the length is greater than 5, the router will still validate the packet, but due to the race condition, the router will still accept the packet. This makes
Vulnerable code snippet if (int_length == 26) {
return false;
}
else if (int_length > 5) {
return true;
}
How to exploit the Tenda AC1200 Router Model W15Ev2?
An attacker can exploit this vulnerability by sending a TCP packet with a length of 26 and then sending the same packet again with a length greater than 5. This would cause the router to accept the second packet instead of rejecting it. The second packet would be sent through on its way to the target system.
Timeline
Published on: 11/15/2022 03:15:00 UTC
Last modified on: 11/18/2022 21:34:00 UTC