Vulnerability Title: Command Injection in formStaDrvSetup Function in BR-6208AC_V2_1.03 Firmware
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: BR-6208AC_V2_1.03 firmware
Component: Web-based formStaDrvSetup Configuration in BR-6208AC_V2_1.03
A Command Injection Vulnerability has been discovered in the formStaDrvSetup function in the BR-6208AC_V2_1.03 firmware. This vulnerability is present in the web-based configuration interface, which allows attackers to inject arbitrary system commands into the device's operating system via improperly sanitized user inputs. The issue arises due to insufficient input validation and sanitization when handling user-supplied data such as rootAPmac. The untrusted data is passed directly to system commands via functions like system(tmpBuf) without adequate filtering. This allows remote, unauthenticated attackers to inject malicious commands into the system, leading to the potential for remote code execution, privilege escalation, or other malicious activities on the device.
The vulnerability exists in the formStaDrvSetup function, which is responsible for handling configuration changes in the BR-6208AC_V2_1.03 via the web interface. The issue arises when the user-supplied data, particularly the rootAPmac field, is directly passed to system commands without proper sanitization. Specifically, the vulnerable code constructs a shell command using sprintf(tmpBuf, "echo '%s' > /tmp/apclii0_rootMAC", strVal) and executes it using the system() function.
This approach allows attackers to inject arbitrary shell commands by embedding special characters (such as semicolons or pipes) within the rootAPmac field. As a result, attackers can execute malicious commands on the system, potentially gaining unauthorized access or control over the device. The device's web interface does not adequately validate or filter these inputs, making it easy for an attacker to exploit this vulnerability. The command injection vulnerability can be exploited remotely by an attacker who can send specially crafted HTTP requests to the web server. If successful, the attacker could execute arbitrary commands, leading to potential system compromise. The vulnerability is particularly dangerous because the web service may run with elevated privileges (such as root), meaning the injected commands could have significant impact on the system's integrity and security.
This vulnerability originates from the direct usage of user-supplied input in the rootAPmac parameter, which is passed to the sprintf() function and subsequently executed by the system() function without proper sanitization or validation.
The rootAPmac value is retrieved using websGetVar(wp, T("rootAPmac"), T("")), and it is processed by checking for the presence of the semicolon (;) character, which is used to terminate the rootAPmac value to prevent potential command injection. However, this check is incomplete and only removes the semicolon from the input but does not fully sanitize the input or prevent the injection of other malicious characters such as pipes (|), ampersands (&), or other shell metacharacters.
Taint_input:
