- Device name: N200RE V5
- Build version: V9.3.5u.6437_B20230519 (Update 2023-05-26
- Download link: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
- Authentication: Yes (Login as account on firmware's web interface)
- Affect: Unknown number of ToTotlink firmware that uses function
Validity_check.
Totolink is using function Validity_check to fix OS command injection vulnerability. An attacker can bypass this filter using character %, exploit the format string at snprintf function to execute OS system commands.
Function Validity_check finds blacklisted strings / characters such as $ ` | ; &
After the validation, the server executes system command when it can't find any blacklisted characters
The program is calling some external libraries
Function doSystem is using function vsnprintf to craft system command and then execute using system.
Functionssnprintf and vsnprintf are vulnerable against format string attack (source: Format string attack | OWASP)
when use the ping or traceroute feature, attacker can inject character %x in the IP address
The server responses with a hex value, suggesting it could be a format string vulnerability
When attacker uses payload %whoami, the server response busybox's output. It suggests that the string whoami was delivered to the busybox interpreter
When attacker sent the same payload to traceroute, the command was executed sucessfully
Due to limitation of the % as the string format, some command can't be executed. The reason is the first character
Attacker can use absolute path to bypass this issue, executing system command
When attacker uses ping feature to exploit, it might be command failed to run because the flag -w for command ping is hard-coded.
Attacker can use the syntax that calls /bin/bash or /bin/sh to execute the command that does not contain -w, therefore avoid the command execution error
- Add
%to blacklist - Check the logic of
doSystemto avoid format string error.
Này mà unauth nữa thì ngon =))))))))))))))))))))