We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action set_sta_enrollee_pin_24g of the file /www/cgi/ssi, the value of wps_sta_enrollee_pin is finally passed into system, resulting in command injection.

Even though the webserver has filtered some dangerous characters like “;” or “|”, but “\n” is not filtered. An attacker can use “\n” to separate the command to achieve remote command execution.

Similar to Vulnerability 1, once this vulnerability is exploited, an attacker can execute an arbitrary command in the system.

Fix Suggestion:

Filter more dangerous characters like “\n”.