Use format string bypass Totolink's Validity_check function, lead to remote OS command injection (CVE-2023-4746)

totolink_bypass_to_rce.md

Firmware info

• Device name: N200RE V5
• Build version: V9.3.5u.6437_B20230519 (Update 2023-05-26
• Download link: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
• Authentication: Yes (Login as account on firmware's web interface)
• Affect: Unknown number of ToTotlink firmware that uses function Validity_check.

Description and Impact

Totolink is using function Validity_check to fix OS command injection vulnerability. An attacker can bypass this filter using character %, exploit the format string at snprintf function to execute OS system commands.

Root-casue

Function Validity_check finds blacklisted strings / characters such as $ ` | ; &

After the validation, the server executes system command when it can't find any blacklisted characters

The program is calling some external libraries

Function doSystem is using function vsnprintf to craft system command and then execute using system.

Functionssnprintf and vsnprintf are vulnerable against format string attack (source: Format string attack | OWASP)

Steps to reprocedure

when use the ping or traceroute feature, attacker can inject character %x in the IP address

The server responses with a hex value, suggesting it could be a format string vulnerability

When attacker uses payload %whoami, the server response busybox's output. It suggests that the string whoami was delivered to the busybox interpreter

When attacker sent the same payload to traceroute, the command was executed sucessfully

Due to limitation of the % as the string format, some command can't be executed. The reason is the first character

Attacker can use absolute path to bypass this issue, executing system command

When attacker uses ping feature to exploit, it might be command failed to run because the flag -w for command ping is hard-coded.

Attacker can use the syntax that calls /bin/bash or /bin/sh to execute the command that does not contain -w, therefore avoid the command execution error

Recommends

• Add % to blacklist
• Check the logic of doSystem to avoid format string error.

Reference

• https://owasp.org/www-community/attacks/Format_string_attack
• https://www.cs.cornell.edu/courses/cs3410/2008fa/MIPS_Vol2.pdf
• https://en.wikibooks.org/wiki/MIPS_Assembly/Register_File

It appeared that when attacker used the payload 1.1.1.1%/bin/ps wlT, the result showed S 0 6002 6001 1512 372 0:0 14:21 00:00:00 /bin/sh -c /bin/ps wlT&>/var/log/traceRouteLog. The payload after % was pushed to a new command. However, it's still unknown how it's possible in doSystem's logic