The Captain’s Log

Pontifications of The Great and Terrible Captain Cucamunga.

Mon, 12 Feb 2024 21:28:02 EST

Check this out.

The following request is extracted from my web server log for February 11th. I have added line breaks.

GET /cgi-bin/luci/;stok=/locale?

LuCl is the web interface to OpenWrt, which is Linux-based firmware for routers and network devices. This is a command-injection attack. I am not familiar with LuCl, but it clearly parses, or can be tricked into parsing, embedded commands with Bourne Shell subshell syntax. What a disaster.

After percent-decoding, the subshell invocation reads:

rm -rf *;
cd /tmp;  
chmod 777; 

In English: Delete all the files and directories in the current directory hierachy. Change to the /tmp directory (which is typically world-writeable). Download a file named Make it readable, writeable, and executable by all users. Run it.

Tenda is a brand. The company makes wifi routers and webcams. This attack is an attempt to take control of a Tenda device. The IP address has a reverse DNS entry that points to a host at, but that domain unsurprisingly has no forward DNS entry.

Update February 13th: The vunerability targeted by this attack is described in CVE-2023-1389. The request parameters are passed by the web server, unsanitized, to the CGI program launched via popen(). That library function is a shortcut that fork()s and exec()s a shell with a specified command line on the other end of a pipe. The shell runs the subshell commands before invoking the command. What a disaster.