There is a command injection vulnerability in the TEW-824DRU router with firmware version 1.04b01. If unauthenticated attacker, they can inject commands into the post request parameters system.ntp.server in the apply.cgi interface, thereby gaining shell privileges. The vulnerability can be exercised on the local intranet or remotely if remote administration is enabled.
In the function sub_420AE0(), the value of the parameter system.ntp.server is sanitized through the uci_safe_get function and then assigned to uVar3, after which it is passed into the _system function. However, an attacker can bypass this filter function by using the ` character, thereby exploiting a command injection vulnerability.
Environment setup:
Set up the router environment through FirmAE.
Refer to pr0v3rbs/FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis (github.com) for instructions
Finished
Run exp directly with unauthenticated
Command injection successfully demonstrated
