Tenda G103 Command Injection Vulnerability in Setting Handler Component

A command injection vulnerability has been identified in the Tenda G103 GPON optical network terminal, specifically in the 1.0.0.5 firmware version. The issue arises in the 'action_set_net_settings' function within the 'gpon.lua' file, where several parameters, including 'authLoid', 'authLoidPassword', 'authPassword', 'authSerialNo', 'authType', 'oltType', 'usVlanId', and 'usVlanPriority', are improperly sanitized. This lack of validation allows authenticated attackers to inject arbitrary commands, which are executed with root privileges, potentially leading to a complete takeover of the device. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Successful exploitation allows for arbitrary command execution with root privileges, leading to full control over the device.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/luci/;stok=<session_token>/admin/gpon/set-net-settings' endpoint. Include the 'authLoid', 'authLoidPassword', 'authPassword', 'authSerialNo', 'authType', 'oltType', 'usVlanId', or 'usVlanPriority' parameters in the request. The injected command will be executed on the device, and the exploitation can be verified by checking for the presence of a created file, such as '/tmp/authLoid.txt', which would indicate successful command execution.