TP-Link Archer AX21 AX1800 未授权RCE（CVE-2023-1389）

### Synopsis Researchers at Tenable discovered an unauthenticated command injection in the web management interface of the TP-Link Archer AX21 (AX1800). In the default configuration this interface is only accessible via LAN (not WAN). **Technical Details** The **country** parameter, of the **write** callback for the **country** form at the **/cgi-bin/luci/;stok=/locale** endpoint is vulnerable to a simple command injection vulnerability. The country parameter was used in a call to **popen()**, which executes as **root**, but only after first being set in an initial request. That is to say, to exploit the issue, an attacker would first have to send the payload as part of the country parameter to set the value, and upon sending a second request (identical or not) to the country endpoint, the first payload would be executed as part of the **popen** command. **Proof of Concept:** Sending a request similar to the following twice in a row would run the **$(id>/tmp/out)** command on the second request, creating the **/tmp/out** file containing the output of the **id** command. ``` POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1 Host: <target router> Content-Type: application/x-www-form-urlencoded operation=write&country=$(id>/tmp/out) ``` ### Solution TP-Link has released firmware version 1.1.4 Build 20230219 which fixes the issue by removing the vulnerable callback. ### Additional References https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware