Tenda G103 Command Injection Vulnerability in Action_set_system_settings Function

A command injection vulnerability has been identified in the Tenda G103 router, specifically in version 1.0.0.5. The issue arises in the 'action_set_system_settings' function within the 'system.lua' file, part of the LuCI controller. The vulnerability is caused by inadequate sanitization of the 'lanIp' parameter, which is directly appended to system commands without proper validation. This flaw allows authenticated attackers to execute arbitrary commands with root privileges, potentially leading to a complete takeover of the device. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges, which could result in full compromise of the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/luci/;stok=<session_token>/admin/system/set_system_settings' endpoint. Include the 'lanIp' parameter with a value that contains shell metacharacters, such as backticks, semicolons, or '&&'. Make sure to include a valid 'stok' (session token) and authentication cookies. Once the request is sent, check the device's file system to verify if the injected command was executed successfully.