Tenda W6-S OS Command Injection Vulnerability in ATE Service

A command injection vulnerability has been identified in the Tenda W6-S router, specifically in the ATE service version 1.0.0.4(510). This vulnerability allows remote attackers to inject operating system commands through the ATE service by sending crafted UDP packets to port 7329. The injection exploits how the service processes certain command patterns, enabling unauthorized command execution on the device.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution via operating system command injection.

Reproduction

To reproduce this vulnerability, first enable the ATE service by sending a request to the '/goform/ate' endpoint. This can be done using a simple HTTP request, as the endpoint does not require authentication. Once the ATE service is enabled, send a crafted UDP packet to port 7329. The injected payload should include commands prefixed with 'iwpriv', using '&' to separate commands instead of ';' to bypass the service's input parsing. The injected command will be executed on the system, and the output can be retrieved from the ATE process.