Tenda AC20 Command Injection Vulnerability in Telnet Service
Vulnerability
A command injection vulnerability allowing remote code execution has been identified in the Tenda AC20 router running firmware version 16.03.08.12. The issue arises in the Telnet service component, specifically within the 'websFormDefine' function of the '/goform/telnet' endpoint. This function activates the Telnet service by executing system commands without proper input validation, enabling attackers to gain interactive shell access and execute arbitrary commands on the router.
Impact
Exploitation of this vulnerability provides root access to the router through the Telnet service, allowing for the execution of arbitrary commands with administrative privileges.
Reproduction
To reproduce this vulnerability, send a POST request to the '/goform/telnet' endpoint. This will trigger the 'TendaTelnet' function, which activates the Telnet service by executing system commands that are not properly sanitized. After the Telnet service is activated, connect to the router's Telnet service on port 80 to gain an interactive shell.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.