Vulnerability Title: Command Injection Vulnerability in setDeviceURL of Trendnet TEW-815DAP
Discovered by: Jingwei Feng
Contact Information: [email protected]
Affected Version: Trendnet TEW-815DAP firmware version 1.0.2.0
Component: httpd web server (Device URL configuration handler)
A Command Injection Vulnerability has been discovered in the setDeviceURL function of the Trendnet TEW-815DAP firmware. The vulnerability exists in the device URL configuration logic where the user-provided URL is directly concatenated into a system command without sufficient sanitization. When an authenticated attacker sends a crafted request to uapply.cgi, arbitrary commands can be executed with root privileges.
We obtained the firmware and performed a static analysis using IDA Pro. The vulnerability is located in the httpd binary, specifically within the handling of the setDeviceURL action triggered by uapply.cgi.
Authentication Mechanism Analysis
Before exploiting the vulnerability, we analyzed the authentication flow. The device uses a session-based authentication protected by a CSRF token mechanism:
token.<input type="hidden" name="token" value="[Random_Token_Value]">
apply.cgi or uapply.cgi must include this token. The server validates it via the checkToken function. An attacker must extract this token from the response body (e.g., from wizard.asp or the main page) to construct a valid request.Vulnerable Code Analysis (Reverse Engineering Perspective)
/uapply.cgi endpoint. When the parameter apply_do is set to setDeviceURL, the server invokes the setDeviceURL function.DeviceURL from the NVRAM configuration (which is set via the same request).