Edimax BR-6208AC V2 1.02 setWAN L2TPUserName Command Injection

Vulnerability Title: Command Injection via L2TPUserName in IQ Setup setWAN Handler of Edimax BR-6208AC V2 1.02

Discovered by: tzh00203

Contact Information: [email protected]

Affected Version: Edimax BR-6208AC V2 1.02

Component: boa web server IQ setup handler setWAN

1. Vulnerability Overview

A command injection vulnerability exists in the IQ setup setWAN handler of Edimax BR-6208AC V2 1.02. In L2TP mode, the handler copies the attacker-controlled L2TPUserName parameter into a shell command and executes it with system().

The implementation tries to block only semicolon-based payloads. Other shell features remain usable, allowing arbitrary command execution on the device.

2. Detailed Description

Inside setWAN(), the L2TP branch processes the username like this:

strcpy(tmpstr1, websGetVar(wp, T("L2TPUserName"), T("")));
for(i=0; i<strlen(tmpstr1); i++)
{
    if (tmpstr1[i] == 59)
    {
        tmpstr1[i] = '\\0';
        break;
    }
}
sprintf(tmpBuf, "echo %s > /tmp/UserName", tmpstr1);
system(tmpBuf);

Because the username is inserted into an unquoted shell command, filtering only the ; character does not prevent payloads using:

$(...)
backticks
|
&&
embedded newlines

This makes L2TPUserName an externally controllable command injection vector.