Login Authentication Bypass Vulnerability Description

Vendor Of The Product: Totolink A830R

Affected Products and Firmware version: Totolink A830R with firmware version V4.1.2cu.5182

Vulnerability: Login Authentication Bypass Vulnerability

Vulnerability description: There is a logical vulnerability in the totolink router A830R (firmware version V4.1.2cu.5182) device program code. an attacker can log in to the background without a password and obtain background administrator rights.

Vulnerability Analysis

Find the latest firmware of A830R from totolink website and download the latest firmware to conduct code audit locally. Download address:[TOTOLINK全球领先的无线路由器,无线中继器研发制造厂商](<http://totolink.cn/home/menu/detail.html?menu_listtpl=download&id=11&ids=36>)

Use binwalk to analyze firmware:

Untitled

After analyzing the unpacking files of the binwalk, it is found that the router is a lighttpd service and there is a global.so file, which is reverse analyzed:

Untitled

Analysis of global.so Pseudocode Discovery:

  1. The program will jump 302 after logging in successfully.[<http://192.168.1.1/formLoginAuth.htm?authCode=1&userName=admin&password=admin&goURL=home.asp&action=login>](<http://192.168.1.1/formLoginAuth.htm?authCode=1&userName=admin&password=admin&goURL=home.asp&action=login>)
  2. After obtaining the cookie, jump to: http:// 192.168.1.1/home.asp?timestamp = 1665204207
  3. There is a loophole that bypasses the background login authentication, and you can log in to the background directly without an account password.

Untitled

vulnerability verification

  1. System version information:

Untitled

  1. Without a password, you can log in to the background using the following payload: