CVE-2020-10987 Scanner

Tenda AC15 AC1900 is a dual-band gigabit wireless router designed for home and small office environments. It provides high-speed internet connectivity and is widely used by consumers seeking advanced wireless coverage and performance. Tenda’s routers are frequently used by non-technical users due to their easy-to-use configuration interface. These devices often include remote management features, which, if misconfigured or left vulnerable, can be exploited remotely. The firmware in Tenda AC15 AC1900 provides various functionalities accessible via HTTP endpoints. The affected firmware version includes vulnerable interfaces which are exposed to external access without adequate sanitization.

Command Injection vulnerabilities allow an attacker to execute arbitrary system-level commands on a host operating system via vulnerable input fields. The CVE-2020-10987 vulnerability impacts the Tenda AC15 AC1900 router, specifically the setUsbUnload endpoint. Attackers can exploit this vulnerability by sending a specially crafted request with a manipulated deviceName parameter. The input is not properly sanitized, enabling shell command execution. If exploited, it can lead to full compromise of the device. The issue is particularly dangerous because it does not require authentication, increasing its severity.

The vulnerability exists in the HTTP POST endpoint `/goform/setUsbUnload` of the Tenda AC15 AC1900 router firmware version 15.03.05.19. The vulnerable parameter is `deviceName`, which is directly injected into a command execution context on the router’s operating system. The scanner simulates interaction by injecting a payload that includes shell metacharacters and a callback URL. If the callback is triggered, it confirms remote command execution. This confirms that the router processes user input without input validation or escaping. The initial GET request ensures that the device is a Tenda AC15 router before proceeding with exploitation.

If this vulnerability is successfully exploited, an attacker can gain remote access to the router’s operating system. This could lead to full control over the router, allowing for traffic manipulation, data exfiltration, installation of persistent malware, or pivoting to internal networks. Devices compromised in this way can be part of larger botnets or used in further attacks. It also undermines user privacy and network integrity. In worst-case scenarios, attackers can completely disable the device or replace firmware with malicious versions.

REFERENCES

• https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68