Vulnerability Title: Command Injection via pppUserName in IQ Setup setWAN Handler of Edimax BR-6428nC v1.16
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: Edimax BR-6428nC v1.16
Component: boa web server IQ setup handler setWAN
A command injection vulnerability exists in the IQ setup setWAN handler of Edimax BR-6428nC v1.16. In PPPoE mode, the pppUserName request parameter is copied into a shell command and executed with system().
The code removes only the ; character, leaving other shell metacharacters intact. This enables an attacker to execute arbitrary commands through the web interface.
In the PPPoE branch of setWAN(), the code performs the following operations:
strcpy(tmpstr1, websGetVar(wp, T("pppUserName"), T("")));
for(i=0; i<strlen(tmpstr1); i++)
{
if (tmpstr1[i] == 59)
{
tmpstr1[i] = '\\0';
break;
}
}
sprintf(tmpstr2, "echo %s > /tmp/strpppUserName", tmpstr1);
system(tmpstr2);
This is vulnerable because tmpstr1 remains attacker-controlled and is expanded by the shell. Payloads using constructs such as $(...), backticks, |, &&, or newlines are still effective.
The vulnerable handler is registered as:
websFormDefine(T("setWAN"), setWAN);
The IQ setup authentication logic also contains a default-state bypass path, allowing requests to proceed without standard login checks while the device is still unconfigured.