WAYOS FBM-220G Command Injection Vulnerability

A command injection vulnerability has been identified in the WAYOS FBM-220G router, specifically in the 24.10.19 firmware version. The issue resides in the 'sub_40F820' function of the 'rc' file, where configuration values related to UPnP are retrieved without proper input sanitization. This flaw allows remote attackers to manipulate these values and execute arbitrary commands on the device. For instance, injecting a command to start a telnet service could be exploited to gain unauthorized access to the router.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the device. This could lead to remote code execution and full compromise of the router.

Reproduction

To reproduce this vulnerability, modify the UPnP-related configuration values 'upnp_waniface', 'upnp_ssdp_interval', and 'upnp_max_age' in the router's firmware version 24.10.19. The 'sub_40F820' function will then use these unsanitized values to construct a command that is executed on the system. This can be done by injecting a command into the 'upnp_waniface' parameter, for example, by setting it to '0$(telnetd)', which would start the telnet service upon reboot.