Edimax EW-7438RPn OS Command Injection Vulnerability in WPS Start Function

A command injection vulnerability has been identified in the Edimax EW-7438RPn range extender, affecting versions through 1.31. The issue arises in the 'webs' component, specifically within the 'formWpsStart' function of the '/goform/formWpsStart' file. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'pinCode' parameter. The exploitation of this vulnerability is possible from a remote location, and a proof-of-concept for the attack has been made publicly available.

Impact

Exploitation of this vulnerability leads to unauthorized remote execution of operating system commands on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/formWpsStart' with a crafted 'pinCode' parameter that includes the desired command. The router will execute the command, allowing for remote command execution. For example, setting the 'pinCode' to 'telnetd -l /bin/sh -p 1234' will open a Telnet session on the router.