CVE-2018-1057 The Miner exploit for Totolink NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the command parameter in the setTracerouteCfg function.

Vulnerability Summary

Totolink, a manufacturer of network routers, discovered that their device was vulnerable to an authenticated stack overflow. This vulnerability allows attackers to execute arbitrary code on the host with root privileges.
This exploit is specifically targeting the NR1800X V9.1.0u.6279_B20210910 which Totolink sells and uses for their home routers.
The vulnerability can be found in setTracerouteCfg function in getroute(). The command parameter is used to specify the trace route configuration parameters as a string. A stack overflow occurs when this string is converted into an integer and passed as input to the system call syscall(SYS_CONNECT).
The exploit was identified by Tencent Security Center's malware analysis lab and it has been confirmed that it works on the devices mentioned above.

Solution

In order to fix this issue, you can download a fixed version of the firmware from https://support.totolink.com/downloads/NVR18XB20210910_B20210910.zip
Totolink NVR18X B20210910 _B20210910
Firmware Version: V9.1.0u.6279_B20210910
SystemGaugeVersion: V9.0.0f7

Affected Devices

The following devices are affected:
Totolink NR1800X V9.1.0u.6279_B20210910

Timeline

Published on: 10/06/2022 19:15:00 UTC
Last modified on: 10/12/2022 03:09:00 UTC

References