Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:A720R

Version:A720R_Firmware(V4.1.5cu.470_B20200911)

Type:Sensitive data disclosure

Author:Huizhao Wang, Chuan Qin

Institution:wanghuizhao@iie.ac.cn, qinchuan@iie.ac.cn

Vulnerability description

We found a sensitive data disclosure vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to download Config-A720R_v2-xxxxxxxx.dat.

We use a binary editor to view the contents of the file, it starts with COMPCS. We can know that this is apmib configuration file.

image-20210615211728467

Then, sensitive information such as username and password can be found in the decoded file.

image-20210615193221876

POC

Sending GET request http://192.168.0.1/cgi-bin/ExportSettings.sh , this shell script can return the apmib configuration file. Then, we can decode the configuration file and get username, password.

CVE info

CVE-2021-35326