COMFAST CF-XR11 Command Injection Vulnerability in Multi PPPoE API

A command injection vulnerability has been identified in the COMFAST CF-XR11 router, specifically in firmware version 2.7.2. The issue resides within the multi PPPoE API, where the phy_interface parameter is not properly sanitized. This flaw allows attackers to inject arbitrary commands via a POST request to the mbox-config endpoint. When the action parameter is set to 'one_click_redial', the unsanitized phy_interface is executed through a system call, potentially leading to unauthorized access to sensitive files, execution of arbitrary code, or complete compromise of the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution, unauthorized access to sensitive files, or full control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/mbox-config?method=SET&section=multi_pppoe' with the 'action' parameter set to 'one_click_redial'. Include a crafted 'phy_interface' value that contains the desired command injection payload. The injected command will be executed on the device, and the results can be retrieved from a specified location.