Command Injection Vulnerability Description

Vendor Of The Product: Totolink A830R

Affected Products and Firmware version: Totolink A830R with firmware version V4.1.2cu.5182

Vulnerability: Command Injection

Vulnerability description: The totolink router A830R (firmware version V4.1.2cu.5182) device program code directly uses the shell to execute the parameters submitted by the user without filtering, and the attacker can execute any system command.

Vulnerability Analysis

Find the latest firmware of A830R from totolink website and download the latest firmware to conduct code audit locally. Download address:[TOTOLINK全球领先的无线路由器,无线中继器研发制造厂商](<http://totolink.cn/home/menu/detail.html?menu_listtpl=download&id=11&ids=36>)

Use binwalk to analyze firmware:

Untitled

After analyzing the unpacked files in the binwalk, it is found that the router is a lighttpd service, and reverse analysis is carried out on the downloadFlile.cgi files:

Untitled

  1. downloadFlile.cgi pseudo code shows that the value of v14 variable comes from the QUERY_STRING parameter of getenv in CGI, and the value of this parameter is the parameter value of get request in CGI route.
  2. the program directly splices the v14 variable to the position of% s in the echo QUERY_STRING:%s >/tmp/download string through the sprintf function, and assigns the spliced string variable to v24.
  3. The program uses system function to execute v24 variable.
  4. The parameters executed by the system are not effectively filtered here, and some contents of the system parameters can be arbitrarily controlled, resulting in a command injection vulnerability. For example, you can assign the v14 variable to' ifconfig>../result.txt ', and finally, the v24 variable value is: echo QUERY_STRING:' ifconfig>../result.txt '>/tmp/download, where the parameters in reverse quotation marks in Linux can be executed directly. Therefore, when the last system(v24) is executed, the externally input ifconfig command is also executed, and the ifconfig execution result is output to the result.txt file in the web root directory.

Untitled

vulnerability verification

  1. System version information:

Untitled

  1. vulnerability validation step1: the injection command is executed and the result is output to the result.txt file.