The TRENDnet TEW-822DRE is an AC1200 dual-band wireless range extender designed to expand the coverage of an existing Wi-Fi network. It operates primarily as a Layer-2 access point / repeater, relaying wireless traffic between client devices and an upstream router, rather than functioning as a standalone router.

The device supports simultaneous 2.4 GHz and 5 GHz wireless bands and is typically deployed in residential or small office environments to improve wireless signal strength and coverage in areas with weak connectivity. Management and configuration are provided through a web-based administration interface, which allows users to perform tasks such as initial setup, wireless configuration, and system management.

Importantly, the TEW-822DRE does not perform routing or NAT functions and does not act as a network gateway. Instead, it relies on an upstream router for IP address assignment and Internet access, while exposing its own embedded web management service for local administration.

image.png

1. Executive Summary

Target Device: Trendnet TEW-822DRE

Firmware Version: v1.01B06

Vulnerability Type: OS Command Injection

Component: Web Server (/bin/boa)

https://downloads.trendnet.com/TEW-822DRE/firmware/FW_TEW-822DRE_v1&2(1.01B06).zip

2. Firmware Extraction

The analysis began with the extraction of the firmware image to obtain the file system.

3. Static Analysis & Reverse Engineering

We performed static analysis on the web server binary /bin/boa using IDA Pro to identify potential vulnerabilities.

  1. Binary Identification:

    The /bin/boa binary is a MIPS executable responsible for handling HTTP requests. We loaded the binary into IDA Pro for disassembly and decompilation.

  2. Locating the Vulnerable Handler:

    By searching for strings related to the "Ping Test" page (e.g., "admin_ping.htm"), we identified the function formSystemCheck. This function is registered as a handler for the URL /boafrm/formSystemCheck.