WDR201A WiFi Extender OS Command Injection Vulnerability in firewall.cgi
Vulnerability
An OS command injection vulnerability has been identified in the WDR201A WiFi extender, specifically in the firewall.cgi binary of the firmware version LFMZX28040922V1.02. This vulnerability arises from insufficient input validation in five request handlers, allowing attackers to inject arbitrary shell commands through vulnerable parameters. The injected commands persist in NVRAM and are re-executed with each subsequent request to firewall.cgi.
Impact
Exploitation of this vulnerability allows for arbitrary OS command execution on the device.
Reproduction
The vulnerability can be reproduced by sending a POST request to the firewall.cgi script with the 'firewall' parameter set to 'websURLFilter', 'websHostFilter', 'portForward', 'singlePortForward', or 'ipportFilter'. Commands can be injected using subshell syntax, such as '$(ping -c 7 ATTACKER-IP)', or through unfiltered parameters. The injected commands will execute immediately and persist in NVRAM, re-running with every access to firewall.cgi.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.