Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4746: Use format string bypass Totolink's Validity_check function, lead to remote OS command injection (CVE-2023-4746)

A vulnerability classified as critical has been found in TOTOLINK N200RE V5 9.3.5u.6437_B20230519. This affects the function Validity_check. The manipulation leads to format string. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-238635.

CVE
Open in Source
#vulnerability#web#pdf#acer#auth

Use format string bypass Totolink’s Validity_check function, lead to remote OS command injection (CVE-2023-4746)

Firmware info

  • Device name: N200RE V5
  • Build version: V9.3.5u.6437_B20230519 (Update 2023-05-26
  • Download link: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
  • Authentication: Yes (Login as account on firmware’s web interface)
  • Affect: Unknown number of ToTotlink firmware that uses function Validity_check.

Description and Impact

Totolink is using function Validity_check to fix OS command injection vulnerability. An attacker can bypass this filter using character %, exploit the format string at snprintf function to execute OS system commands.

Root-casue

Function Validity_check finds blacklisted strings / characters such as $ ` | ; &

After the validation, the server executes system command when it can’t find any blacklisted characters

The program is calling some external libraries

Function doSystem is using function vsnprintf to craft system command and then execute using system.

Functionssnprintf and vsnprintf are vulnerable against format string attack (source: Format string attack | OWASP)

Steps to reprocedure

when use the ping or traceroute feature, attacker can inject character %x in the IP address

The server responses with a hex value, suggesting it could be a format string vulnerability

When attacker uses payload %whoami, the server response busybox’s output. It suggests that the string whoami was delivered to the busybox interpreter

When attacker sent the same payload to traceroute, the command was executed sucessfully

Due to limitation of the % as the string format, some command can’t be executed. The reason is the first character

Attacker can use absolute path to bypass this issue, executing system command

When attacker uses ping feature to exploit, it might be command failed to run because the flag -w for command ping is hard-coded.

Attacker can use the syntax that calls /bin/bash or /bin/sh to execute the command that does not contain -w, therefore avoid the command execution error

Recommends

  • Add % to blacklist
  • Check the logic of doSystem to avoid format string error.

Reference

  • https://owasp.org/www-community/attacks/Format_string_attack
  • https://www.cs.cornell.edu/courses/cs3410/2008fa/MIPS_Vol2.pdf
  • https://en.wikibooks.org/wiki/MIPS_Assembly/Register_File

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE