- Build version: EN_V9.3.5u.6146_B20201023
- Download URL: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/217/ids/36.html
These vulnerabilities allow attacker executes remote OS command as root. The build version was 2020 so It's possibly attacker can send unauthenticated requests to cgi-bin
Totolink's cgi-bin shares the code with other firmware. While the other firmware was analyzed, reported by researchers (and fixed), this firmware wasn't fixed by Totolink company.
Function setDiagnosisCfg
executes os command ping
. An attacker can execute remote os command using crafted payload at Ping Address
When the function setDiagnosisCfg
is called, it crafts the ping command following syntax ping %s -w %d &>/var/log/pingCheck
The value of Ping Address
is not validated, therefore an attacker can send a craftted payload to execute OS command and get the command output with getDiagnosisCfg
Function setTracerouteCfg
executes os command traceroute
. An attacker can execute remote os command using crafted payload at Trace Address
When the function setTracerouteCfg
is called, it crafts the ping command following syntax traceroute -m %d %s&>/var/log/traceRouteLog
. The value of Trace Address
is not validated, therefore an attacker can send crafted payload to execute OS command and get the command output with getTracerouteCfg
Function setWanCfg
executes os command echo
to overwrite hostname. An attacker can execute remote os command using crafted payload at Host Name
.
When the function setWanCfg
is called, it crafts os command following syntax echo '%s' > /proc/sys/kernel/hostname
. The value of Host name
is not validated. An attacker can send crafted payload to execute OS command.