CVE-2023-40837 - A Deep Dive into Tenda AC6 Router Vulnerability

In this post, we will discuss a new vulnerability with the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-40837. This vulnerability affects the Tenda AC6 Wireless Router (US_AC6V1.BR_V15.03.05.16_multi_TD01.bin) and can allow an attacker to execute remote commands on the device. We'll go over the details of this vulnerability, including the vulnerable code, the risks involved, and how a potential attack can be carried out.

Background

A researcher recently discovered a command execution vulnerability in the sub_ADD50 function of the Tenda AC6 Wireless Router software. This vulnerability stems from improper input filtering when handling user-supplied input for the "list" and "vlanId" fields in the "formSetIptv" function. Essentially, unfiltered user input is passed as parameters to the "sub_ADD50" function, allowing an attacker to execute arbitrary commands on the targeted router.

Vulnerable Code Snippet

To comprehend this vulnerability, let's analyze the relevant code snippets from the Tenda router software. In the "formSetIptv" function, the "list" and "vlanId" fields are first obtained. The code responsible for this action is as follows:

if ( _GET["list"] && _GET["vlanId"] )
{
  list = _GET["list"];
  vlanId = _GET["vlanId"];
}

It is crucial to note that the code above does not perform any input validation or filtering on the user-supplied input stored in "list" and "vlanId" fields. This data is then passed as arguments to the "sub_ADD50" function:

sub_ADD50(list, vlanId);

In the "sub_ADD50" function, the two parameters "list" and "vlanId" are used to construct a shell command without any additional input validation:

strCommand = "iptables --table mangle --add " + list + " --vlan-id " + vlanId;
result = shell_exec(strCommand);

Exploit Details

An attacker can exploit this vulnerability by crafting a malicious HTTP request containing user-supplied values for the "list" and "vlanId" fields to execute arbitrary commands on the targeted router. For example, an attacker could submit the following request:

http://<IP_address>/goform/formSetIptv?list=malicious_command&vlanId=1

In this request, <IP_address> represents the IP address of the targeted router, and malicious_command is the command an attacker desires to execute on the device. Upon receiving the request, the Tenda router will execute the malicious command, granting the attacker control of the device.

Further information about this vulnerability can be found in the following sources

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40837
2. Exploit Database: https://www.exploit-db.com/exploits/CVE-2023-40837

Conclusion

The CVE-2023-40837 vulnerability poses a significant risk to Tenda AC6 Wireless Router users. Attackers can exploit this flaw to execute arbitrary commands and potentially gain complete control of the affected device. It is essential for router manufacturers, like Tenda, to carry out thorough input validation and filtering when handling user-supplied input in their software to prevent such vulnerabilities from being exploited.

In light of this vulnerability's discovery, users of Tenda AC6 Wireless Routers are advised to monitor the manufacturer's website for any firmware updates or patches related to CVE-2023-40837. Always keep your devices up-to-date to reduce the risk of exploitation.

Timeline

Published on: 08/30/2023 17:15:10 UTC
Last modified on: 09/01/2023 20:23:05 UTC