DrayTek Vigor 300B OS Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the DrayTek Vigor 300B router, affecting versions through 1.5.1.6. The issue arises in the Web Management Interface, specifically within the 'uploadlangs' function of 'mainfunction.cgi'. The vulnerability allows for OS command injection by manipulating the 'File' argument during language package uploads. This flaw can be exploited remotely and requires authentication. The vendor has acknowledged that the Vigor 300B is no longer supported and does not plan to issue a fix.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary OS commands on the device.

Reproduction

To reproduce this vulnerability, log into the DrayTek Vigor 300B router via the Web Management Interface. Once authenticated, navigate to the 'uploadlangs' function in 'mainfunction.cgi'. Upload a file with a name that includes shell special characters, such as semicolons or ampersands. The injected commands will be executed on the operating system, demonstrating the command injection vulnerability.