Tenda O3V2 Command Injection Vulnerability in Traceroute Function

A critical command injection vulnerability has been identified in the Tenda O3V2 router, specifically in the firmware version 1.0.0.12(3880). The issue arises in the HTTP component, within the '/goform/getTraceroute' file, where the 'fromTraceroutGet' function improperly handles the 'dest' argument. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'dest' parameter in a crafted request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device's operating system.

Reproduction

To reproduce this vulnerability, send a request to the '/goform/getTraceroute' endpoint with a crafted 'dest' argument that includes the desired command to be executed. The 'fromTraceroutGet' function will process the request and execute the injected command on the router's operating system.