TOTOLINK Router CMD Injection

There are three cmd injection vulnerabilities in TOTOLINK routers.
Affected products: including but not limited to TOTOLINK A950RG and TOTOLINK T10.
Affected firmwares: A950RG V5.9c.4216_B20190710 and T10 V5.9c.4096_B20190509

Vulnerabilities Description

An attacker can execute arbitrary Linux OS commands via "setNTPCfg", "NTPSyncWithHost" and "setDiagnosisCfg" POST requests after login.

Modules Load

/bin/cste_sub: load_modules() function loads all libraries located in directory /lib/cste_modules:

Handlers Register

The handlers of "setNTPCfg", "NTPSyncWithHost" and "setDiagnosisCfg" are located in system.so. The module_init() function in system.so registers module handlers:

Vulnerabilities

In these handlers, there is no filter to avoid insecure characters, functions directly concatenate the imput strings to system commands.
NTPSyncWithHost:

setDiagnosisCfg:

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
images		images
README.md		README.md
poc-NTPSyncWithHost.py		poc-NTPSyncWithHost.py
poc-setDiagnosisCfg.py		poc-setDiagnosisCfg.py
poc-setNTPCfg.py		poc-setNTPCfg.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

images

images

README.md

README.md

poc-NTPSyncWithHost.py

poc-NTPSyncWithHost.py

poc-setDiagnosisCfg.py

poc-setDiagnosisCfg.py

poc-setNTPCfg.py

poc-setNTPCfg.py

Repository files navigation

TOTOLINK Router CMD Injection

Vulnerabilities Description

Modules Load

Handlers Register

Vulnerabilities

POC

About

Releases

Packages

Languages

gtrboy/totolink

Folders and files

Latest commit

History

Repository files navigation

TOTOLINK Router CMD Injection

Vulnerabilities Description

Modules Load

Handlers Register

Vulnerabilities

POC

About

Resources

Stars

Watchers

Forks

Languages