Tenda AC8 OS Command Injection Vulnerability in Web Interface

A stored OS command injection vulnerability has been identified in the Tenda AC8 router running firmware version 16.03.50.11. This vulnerability resides in the web interface, specifically within the '/cgi-bin/UploadCfg' file. The issue arises in the 'route_set_user_policy_rule' function, where the 'wans.policy.list1' argument is manipulated, leading to unauthorized command execution on the device's operating system. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for unauthorized OS command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, log into the Tenda AC8 router's web interface. Once authenticated, download the current configuration file via the '/cgi-bin/DownloadCfg' endpoint. Inject a command payload into the 'wans.policy.list1' field, ensuring that the payload includes a command substitution that will be executed as root. After uploading the modified configuration file through '/cgi-bin/UploadCfg', which triggers a device reboot, the injected command will be executed during the boot process, providing a root shell via Telnet.