Vulnerability Description

There is a command injection vulnerability in the TEW-827DRU router with firmware version 2.10B01. Attacker can inject commands into the post request parameters usapps.config.smb_admin_name in the apply.cgi interface, thereby gaining root shell privileges. The vulnerability can be exercised on the local intranet or remotely if remote administration is enabled.

Code Analysis

In the unknown function, the value of the parameter usapps.config.smb_admin_name is sanitized through the uci_safe_get function and then assigned to uVar3, after which it is passed into the _system function. However, an attacker can bypass this filter function by using the ` character, thereby exploiting a command injection vulnerability.

Untitled

Environment setup:

Untitled

Set up the router environment through FirmAE.

Refer to pr0v3rbs/FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis (github.com) for instructions

Untitled

Finished

Untitled

Vulnerability reproduction

Untitled

Click Apply then use Burpsuite to intercept request:

Untitled

After inject command to usbapps.config.smb_admin_name, send all request. Then back to interface and Click Apply again to save.

Remote Code Execution successfully:

Untitled