# Using binwalk to carve the squashfs $ binwalk -Me Tenda_MX12_V1.0.0.24_EN.bin 256 0x100 TRX firmware header, image size: 14876672 bytes 512 0x200 LZMA compressed data 1456128 0x163800 Squashfs filesystem, little endian, version 4.0
An authenticated attacker (or any user on the LAN if the session check is bypassed) can inject arbitrary commands via the ping diagnostic tool. Example: Tenda Mx12 Firmware
Using a simple Python script, we triggered a crash dump: # Using binwalk to carve the squashfs $