Tenda AC6 Router Command Injection Vulnerability in IPTV Configuration

A command injection vulnerability has been identified in the Tenda AC6 router firmware version 15.03.05.19. The issue arises in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. The vulnerability allows attackers to inject arbitrary system commands by exploiting the list and vlanId parameters. These user-supplied values are concatenated into nvram set system commands without proper validation or sanitization of special characters. As a result, an unauthenticated or authenticated attacker can execute commands on the affected device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router, with potential access to sensitive files or complete control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/SetIPTVCfg endpoint with the list or vlanId parameters. Include injected commands in these parameters, using special characters to escape the nvram command context. The injected commands will be executed on the router's operating system.