There is a command injection vulnerability in the TEW-815DAP router with firmware version 1.0.2.0. If an attacker gains web management privileges, they can inject commands into the post request parameters NtpDstStart, NtpDstEnd in the httpd’s do_setNTP() function, thereby gaining shell privileges. The vulnerability can be exercised on the local intranet or remotely if remote administration is enabled.
In the unknown function, the values of NtpDstStart and NtpDstEnd will be passed into command v5, and the system function is called to execute v5. Thus, if an attacker can find a way to control these two values and set NTPDstEnable equal “1” , it can lead to a command injection vulnerability.
In the do_setNTP function, it will perform a check with sub_31E88(), and if true, it will set the value for the NtpDstEnable parameter and go to LABEL_17 .
In the sub_31E88() function, it performs a filter on the input value. If there are characters such as ; or &, or `, it will detect a command injection and return false. However, this filter function is not comprehensive, and an attacker could use the | character to perform a command injection.
After reaching LABEL_17 and based on the way to bypass the above filter function, an attacker can control the inputs and exploit the command injection vulnerability.
Environment setup:
Set up the router environment through FirmAE.
Refer to pr0v3rbs/FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis (github.com) for instructions
Finished