Vulnerability Title: Command Injection Vulnerability in formWsc of Trendnet TEW-822DRE
Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Version: Trendnet TEW-822DRE firmware version 1.00b06
Component: boa web server (WPS configuration handler)
A Command Injection Vulnerability has been discovered in the formWsc function of the Trendnet TEW-822DRE firmware. The vulnerability exists in the Wireless Protected Setup (WPS) configuration logic where the peerPin parameter is directly concatenated into a system command without proper sanitization. When an authenticated attacker sends a specific request while WPS is disabled, arbitrary commands can be executed with root privileges.
We can get the firmware through https://downloads.trendnet.com/TEW-822DRE/firmware/FW_TEW-822DRE_v1&2(1.01B06).zip
The vulnerability occurs in the formWsc function (identified as sub_43ACF4 in the decompiled code) when handling requests to set a WPS PIN.
The function retrieves the peerPin parameter from the HTTP request and checks the status of the WPS feature (MIB_WLAN_WSC_DISABLE, identified as MIB ID 270). If WPS is currently disabled, the code enters a specific branch to enable it and write the PIN to a system file.
In this branch, the peerPin input is used to construct a shell command using sprintf without any validation or sanitization. This command is subsequently executed via system().
The following snippet from the decompiled code demonstrates the vulnerability:
Parameter Retrieval: The code retrieves the peerPin parameter into params_14.
State Check: The code checks if WPS is disabled (n2 is non-zero).
Command Injection: Inside the if block, params_14 (the user-controlled peerPin) is directly formatted into a shell command string.
Execution: The flow jumps to LABEL_102, where the command is executed.
