Tenda AC21 Command Injection Vulnerability in DMZ Configuration Endpoint

A stored command injection vulnerability has been identified in the Tenda AC21 router, specifically in version 1.1.1.1/1.dmzip/16.03.08.16. The issue arises in the 'mDMZSetCfg' function within the '/goform/mDMZSetCfg' endpoint. This vulnerability allows remote attackers to inject commands into the 'dmzIp' parameter, exploiting insufficient input validation. The injected commands are executed with root privileges, potentially leading to unauthorized access and control over the device.

Impact

Exploitation of this vulnerability allows for remote code execution with root privileges on the affected router. The injected command is stored in the router's NVRAM, creating a persistent threat that could be re-executed after a device reboot or service restart. Additionally, the vulnerability could be exploited to modify firewall rules, intercept network traffic, or pivot to other devices within the internal network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/mDMZSetCfg' endpoint with a crafted 'dmzIp' parameter. The payload should include a valid IP address followed by a newline character and the desired command, such as 'reboot'. Authentication cookies are also required to execute the exploit.