Skip to content

Instantly share code, notes, and snippets.

@dmknght
Last active October 26, 2023 00:05
Show Gist options
  • Save dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80 to your computer and use it in GitHub Desktop.
Save dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80 to your computer and use it in GitHub Desktop.
Use format string bypass Totolink's Validity_check function, lead to remote OS command injection (CVE-2023-4746)
@0xmanhnv
Copy link

Này mà unauth nữa thì ngon =))))))))))))))))))))

@dmknght
Copy link
Author

dmknght commented Aug 27, 2023

Này mà unauth nữa thì ngon =))))))))))))))))))))

Mấy bản nó vá đã có check authen rồi. Nhưng cái này affect cả những cái chưa vá -> sẽ có unauthen tùy version

@TH213
Copy link

TH213 commented Aug 27, 2023

Má nó ngon :))

@dmknght
Copy link
Author

dmknght commented Aug 30, 2023

Update: the reason that the bug happened was the snprintf and C format string. Updating the Root cause
image

@dmknght
Copy link
Author

dmknght commented Aug 30, 2023

It appeared that when attacker used the payload 1.1.1.1%/bin/ps wlT, the result showed S 0 6002 6001 1512 372 0:0 14:21 00:00:00 /bin/sh -c /bin/ps wlT&>/var/log/traceRouteLog. The payload after % was pushed to a new command. However, it's still unknown how it's possible in doSystem's logic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment