Vulnerability Title: Command Injection in setWAN Function in BR-6208AC_V2_1.03 Firmware
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: BR-6208AC_V2_1.03 firmware
Component: Web-based WAN Configuration (setWAN)
The setWAN function in BR-6208AC_V2_1.03 firmware has a command injection vulnerability. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName field, allowing arbitrary code execution. This vulnerability can be triggered by sending a specially crafted POST request to the device, leading to potential remote code execution, privilege escalation, and device compromise.
The vulnerability occurs in the setWAN function, which is responsible for configuring the WAN settings in the BR-6208AC_V2_1.03 firmware. When the device is configured to use PPPoE, the pppUserName input is directly used to construct a shell command via the sprintf function:
sprintf(tmpBuf,"echo %s > /tmp/UserName", tmpstr1);
system(tmpBuf);
The pppUserName field is received from the user via the web interface and passed to the system() function without proper sanitization. This allows an attacker to inject shell metacharacters (e.g., semicolons, pipes, etc.) into the pppUserName field, which are executed as part of the system command. For example, an attacker could inject the following payload into pppUserName:
malicious_username;rm -rf / --no-preserve-root
This would execute the malicious command rm -rf / --no-preserve-root, potentially causing severe damage to the device. Since this function is executed with elevated privileges, it can lead to remote code execution, privilege escalation, or other security breaches on the device.
The vulnerability can be exploited remotely by sending a specially crafted POST request to the device, which contains the malicious payload in the pppUserName field.