Vulnerability Title: Command Injection in formRoute Function in BR-6208AC_V2_1.03 Firmware
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: BR-6208AC_V2_1.03 firmware
Component: Web-based Static Route Configuration (formRoute)
A Command Injection Vulnerability has been discovered in the formRoute function in the BR-6208AC_V2_1.03 firmware. This vulnerability exists in the web-based configuration interface, allowing attackers to inject arbitrary system commands due to insufficient input validation and sanitization of user-supplied data (e.g., IP address, subnet mask, and gateway). The untrusted input is directly passed to system commands via functions like system(tmpBuf), enabling remote, unauthenticated attackers to execute malicious commands, potentially leading to remote code execution or privilege escalation.
The vulnerability exists in the formRoute function, responsible for handling static route configuration in the BR-6208AC_V2_1.03 firmware via the web interface. The issue arises when user-supplied data, such as the IP address, subnet mask, and gateway, is directly passed into a shell command using sprintf(tmpBuf, "route add -net %s netmask %s gw %s", strIp, strMask, strGateway) and executed via the system() function.
This allows attackers to inject arbitrary shell commands by embedding special characters (e.g., semicolons or pipes) into the user input fields. With this vulnerability, attackers can execute malicious commands remotely, potentially gaining unauthorized access or control over the device. The lack of proper input validation and filtering makes the device vulnerable to exploitation. The vulnerability is particularly critical because the web service may run with elevated privileges (such as root), granting attackers the ability to execute commands with significant system impact.
The issue arises when user-supplied input (such as IP address, subnet mask, and gateway) is directly passed into a shell command via the system() function without proper sanitization. In the vulnerable code, the input values strIp, strMask, and strGateway are used to construct a shell command:
sprintf(tmpBuf,"route add -net %s netmask %s gw %s", strIp, strMask, strGateway);
if(system(tmpBuf) !=0){
strcpy(tmpBuf,"<script>document.write(showText(aspFormRoute10))</script>\\n");
goto setErr_route ;
}
An attacker can exploit this by injecting malicious shell characters (such as semicolons ;, pipes |, or other shell metacharacters) into the user input fields, allowing them to execute arbitrary commands on the device. Since the system() function runs with elevated privileges (typically as root), this could lead to remote code execution or privilege escalation.
Taint_input: