Tenda AC10 OS Command Injection Vulnerability in Web Interface

A command injection vulnerability has been identified in the Tenda AC10 router, specifically in the firmware version 16.03.10.10_multi_TDE01. The issue arises in the 'formAddMacfilterRule' function within the '/bin/httpd' file, where user input is inadequately sanitized before being passed to a command execution function. This vulnerability allows authenticated attackers to inject and execute arbitrary OS commands with root privileges on the device. Static analysis has revealed that this flaw is not isolated, as 20 other functions exhibit the same vulnerability pattern, including 'formDelMacfilterRule' and 'formSetFirewallCfg'.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the operating system, with root privileges, potentially leading to full control over the device.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the 'formAddMacfilterRule' endpoint with a crafted MAC address that includes shell metacharacters. The injected command will be executed on the router's operating system with root privileges.

Remediation

Users are advised to update to a version that addresses this vulnerability, if available. Additionally, Tenda routers should be configured to disable remote management features and to use strong, unique passwords for administrative access.