Vulnerability Title: Command Injection Vulnerability in NTPSyncWithHost of Trendnet TEW-811DRU
Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Version: Trendnet TEW-811DRU firmware version 1.0.2.0
Component: httpd web server (Time configuration handler)
A Command Injection Vulnerability has been discovered in the NTPSyncWithHost function of the Trendnet TEW-811DRU firmware. The vulnerability exists in the NTP synchronization logic where the URL query string is directly concatenated into a system command without proper sanitization. When an authenticated attacker (or via CSRF) sends a specific request, arbitrary commands can be executed with root privileges.
We obtained the firmware for analysis. The vulnerability occurs in the function responsible for handling requests to /NTPSyncWithHost.cgi (identified as NTPSyncWithHost or do_NTPSyncWithHost in the binary symbols).
The function retrieves the query string from the HTTP request URL. Unlike other parameters that are typically retrieved via websGetVar, this function uses the raw query string directly.
The code attempts to synchronize time by executing the date command. The user-provided query string is formatted into a shell command using sprintf structure roughly equivalent to date -s %s. This constructed command is subsequently executed via system().
Vulnerable Code Analysis (Reverse Engineering Perspective)
. 3. **Command Construction**: The input is directly formatted into a buffer. csprintf(buffer, "date -s %s", query_string);
sprintf(buffer, "date -s %s", query_string);
Result:
We use the FirmAE to simulate the firmware download from https://downloads.trendnet.com/TEW-811DRU/firmware/FW_TEW-811DRU_v1(1.0.2.0).zip
we get the shell and have access to the web