There is a command injection vulnerability in the TEW-827DRU router with firmware version 2.10B01. Attacker can inject commands into the post request parameters usapps.@smb[%d].username in the apply.cgi interface, thereby gaining root shell privileges. The vulnerability can be exercised on the local intranet or remotely if remote administration is enabled.
In the unknown function, the value of the parameter usapps.@smb[%d].username is sanitized through the uci_safe_get function and then assigned to ivar1, after which it is passed into the _system function. However, an attacker can bypass this filter function by using the ` character, thereby exploiting a command injection vulnerability.
Environment setup:
Set up the router environment through FirmAE.
Refer to pr0v3rbs/FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis (github.com) for instructions
Finished
Click Apply then use Burpsuite to intercept request:
After inject command to usapps.@smb[%d].username, send all request. Then click Apply again to save all changes:
Remote Code Execution successfully:
