WDR201A WiFi Extender OS Command Injection Vulnerability in makeRequest.cgi
Vulnerability
An OS command injection vulnerability has been identified in the WDR201A WiFi Extender, specifically in the makeRequest.cgi binary of firmware version LFMZX28040922V1.02. This vulnerability allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Exploitation is achieved by crafting a POST request with specially formatted ampersand-delimited parameters that bypass input sanitization, enabling command execution through the date command or channel parameter processing, with a maximum payload length of 31 bytes.
Impact
Successful exploitation allows for arbitrary command execution on the device.
Reproduction
To reproduce this vulnerability, send a POST request to the device's makeRequest.cgi endpoint. The request body must include 'set_time' or 'sniffer_start' as the first ampersand-separated token, followed by the injected command. The injection can be verified by observing the execution of the injected command on the device.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.