Tenda G300-F Router OS Command Injection Vulnerability

An OS command injection vulnerability has been identified in the Tenda G300-F router, affecting firmware versions through 16.01.14.2. The vulnerability arises in the WAN diagnostic feature, specifically within the 'formSetWanDiag' functionality. The issue occurs because the implementation creates a shell command that uses curl, incorporating input from the user without proper sanitization. This flaw allows remote attackers with access to the management interface to inject additional shell commands and execute arbitrary commands on the device, using the privileges of the management process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router, with the commands being executed under the privileges of the management process.

Reproduction

To reproduce this vulnerability, access the Tenda G300-F router's management interface. Navigate to the WAN diagnostic section and use the 'formSetWanDiag' feature. Inject a command by prepending it with a semicolon, which will be executed on the router via the vulnerable curl command implementation.