Comfast CF-N1 Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the Comfast CF-N1 V2 router, specifically in the web management interface's multi_pppoe function, within firmware version 2.6.0. This vulnerability allows remote attackers to inject arbitrary commands through the phy_interface parameter when the one_click_redial action is used. The injected commands are executed with system privileges, potentially leading to unauthorized access, execution of malicious commands, or full compromise of the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device, with the potential to read sensitive files or gain full control over the router.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/mbox-config?method=SET&section=multi_pppoe' endpoint. Include the 'action' parameter set to 'one_click_redial' and manipulate the 'phy_interface' parameter to inject a command, using command chaining operators like '&&' to append additional commands. Once the request is processed, the injected command will be executed on the device.