Edimax BR-6428nC v1.16 setWAN pptpUserName Command Injection

Vulnerability Title: Command Injection via pptpUserName in IQ Setup setWAN Handler of Edimax BR-6428nC v1.16

Discovered by: tzh00203

Contact Information: [email protected]

Affected Version: Edimax BR-6428nC v1.16

Component: boa web server IQ setup handler setWAN

1. Vulnerability Overview

A command injection vulnerability exists in the IQ setup setWAN handler of Edimax BR-6428nC v1.16. In PPTP mode, the pptpUserName parameter is passed into an unquoted shell command and executed with system().

The implementation only strips ;, which does not prevent many other shell injection techniques.

2. Detailed Description

The vulnerable PPTP code path is:

strcpy(tmpstr1, websGetVar(wp, T("pptpUserName"), T("")));
for(i=0; i<strlen(tmpstr1); i++)
{
    if (tmpstr1[i] == 59)
    {
        tmpstr1[i] = '\\0';
        break;
    }
}
sprintf(tmpstr2, "echo %s > /tmp/strpptpUserName", tmpstr1);
system(tmpstr2);

Because the value is not quoted or safely escaped, an attacker can inject shell syntax using mechanisms including:

command substitution
backticks
pipes
logical operators
newline injection

This makes pptpUserName a direct command injection sink.