The TRENDnet TEW-800MB is a high-performance AC1200 Dual Band Wireless Media Bridge. It is designed to connect network-enabled devices, such as Smart TVs, media players, and game consoles, to a high-speed Wireless AC network. The device supports both 5 GHz and 2.4 GHz bands and is intended to provide high-performance wireless connectivity for streaming HD media and gaming.
Through reverse engineering of the firmware using IDA Pro, we identified a critical command injection vulnerability in the sub_F934 function (which corresponds to NTPSyncWithHost in the source code). This function handles requests to NTPSyncWithHost.cgi.
Vulnerability Details:
?) from the URL using strsep.if ( !strchr(stringp_, 59) ). This only checks for the presence of a semicolon (;, ASCII 59).sprintf: sprintf(s, "date -s %s", stringp__1);.system(s).The sanitization is insufficient. While it blocks the semicolon command separator, it fails to block other shell metacharacters such as &, |, $(), or backticks ```. This allows an attacker to inject arbitrary commands.
However, exploiting this vulnerability via HTTP presents two specific challenges that must be addressed in the PoC:
httpd) parses the HTTP request line using spaces as delimiters. Therefore, the URL cannot contain spaces (e.g., sleep 50 would be truncated).NTPSyncWithHost.cgi* uses a single wildcard matcher that fails if the URL contains a forward slash (/). This prevents using absolute paths like /tmp/pwned.To verify this vulnerability, we download the firmware from the TRENDnet https://downloads.trendnet.com/TEW-800MB/firmware/
We then use FirmAE to emulate the firmware environment.
We exploit the vulnerability using the following PoC.