- Build version: EN_V9.3.5u.6146_B20201023
- Download URL: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/217/ids/36.html
These vulnerabilities allow attacker executes remote OS command as root. The build version was 2020 so It's possibly attacker can send unauthenticated requests to cgi-bin
Totolink's cgi-bin shares the code with other firmware. While the other firmware was analyzed, reported by researchers (and fixed), this firmware wasn't fixed by Totolink company.
Function setDiagnosisCfg executes os command ping. An attacker can execute remote os command using crafted payload at Ping Address
When the function setDiagnosisCfg is called, it crafts the ping command following syntax ping %s -w %d &>/var/log/pingCheck
The value of Ping Address is not validated, therefore an attacker can send a craftted payload to execute OS command and get the command output with getDiagnosisCfg
Function setTracerouteCfg executes os command traceroute. An attacker can execute remote os command using crafted payload at Trace Address
When the function setTracerouteCfg is called, it crafts the ping command following syntax traceroute -m %d %s&>/var/log/traceRouteLog. The value of Trace Address is not validated, therefore an attacker can send crafted payload to execute OS command and get the command output with getTracerouteCfg
Function setWanCfg executes os command echo to overwrite hostname. An attacker can execute remote os command using crafted payload at Host Name.
When the function setWanCfg is called, it crafts os command following syntax echo '%s' > /proc/sys/kernel/hostname. The value of Host name is not validated. An attacker can send crafted payload to execute OS command.
