Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Version: Trendnet 815DAP firmware FW1.0.2.0 and previous
Component: httpd web server (Setup Wizard configuration handler)
A Command Injection Vulnerability has been discovered in the setup wizard configuration logic of the Trendnet **TEW-**815DAP firmware. The vulnerability exists in the handler responsible for processing wizard configuration requests, where a user-controlled parameter is directly concatenated into a shell command without proper sanitization.
The firmware image of the Trendnet **TEW-**815DAP was obtained from the official Trendnet support website and analyzed through firmware reverse engineering. The filesystem was extracted using binwalk, and the embedded httpd binary was statically analyzed using IDA Pro.
During reverse engineering of the HTTP request dispatch table, the following handler mapping was identified inside the httpd binary:
{"goform/wizardset*","text/html", no_cache, do_apply_post, do_setWizard_asp, do_auth },
This mapping shows that HTTP POST requests to:
/goform/wizardset
are processed by the function do_setWizard_asp after authentication.
Further reverse engineering of do_setWizard_asp revealed unsafe command execution behavior originating from the internal function setWizard_asp, located in the firmware logic corresponding
Parameter Retrieval
The function retrieves the WizardConfigured parameter from the HTTP request using websGetVar:
wconf = websGetVar(wp,"WizardConfigured",NULL);
Missing Input Validation
The value of wconf is not validated or sanitized. No filtering is applied to remove shell metacharacters such as ;, |, &, or backticks.
Command Construction
The user-controlled input is directly embedded into a shell command using sprintf:
sprintf(cmd,
"echo %s > /sys/class/net/br0/bridge/redirect_wizard",
wconf);
Command Execution
The constructed command is executed via system():
system(cmd);