Tenda AC7 Command Injection Vulnerability in AdvSetLanip Endpoint

A command injection vulnerability has been identified in the Tenda AC7 router, specifically in the firmware version 15.03.06.44. The issue arises in the '/goform/AdvSetLanip' endpoint, where the 'lanIp' parameter is processed without proper validation or sanitization. This flaw allows remote attackers to inject malicious commands that are executed in the device's command shell. The vulnerability is now public and can be exploited using a proof-of-concept available on GitHub.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/AdvSetLanip' endpoint with a crafted 'lanIp' value that includes shell metacharacters or commands. Once the payload is injected, trigger the code path that uses the 'lan.ip' value in a shell context, such as through the '/goform/telnet' endpoint. The injected command will be executed, demonstrating the successful exploitation of the command injection vulnerability.