An attacker with admin permissions can exploit Command Injection in the setDateTime function to gain Remote Code Execution (RCE) on the router.
Using IDA to reverse engineer the code of /usr/local/lib/mod_form, I discovered that the setDateTime() function utilizes unsafe command execution by directly passing user input to execute commands without proper input validation.
Although I couldn't locate the GUI to configure those parameters, I was able to execute the function by reverse engineering it. I discovered that the setDateTime() function is invoked by the /goform/NTP endpoint.
Next, I can perform command injection by setting any of the following parameters: manual_year_select, manual_month_select, manual_day_select, manual_hour_select, manual_min_select, manual_sec_select, and including the backtick character (`).
To use the /goform/NTP endpoint, I need to obtain a token. This can be easily achieved by sending a request to /network/ddns.shtml.
Therefore, I will create a crafted request to exploit Remote Code Execution (RCE) by creating a file named pwn.js in the /web directory.
After sending it, file pwn.js with content “pwned” is successfully created in /web directory.
Combined with the authentication bypass vulnerability that i reported before, this RCE (Remote Code Execution) vulnerability could allow an attacker to take full control of the router and carry out unauthorized actions.