BugTraq
15 TOTOLINK router models vulnerable to multiple RCEs Jul 15 2015 07:12PM
Pierre Kim (pierre kim sec gmail com) (1 replies)
Re: [FD] 15 TOTOLINK router models vulnerable to multiple RCEs Jul 16 2015 11:12AM
Joshua Wright (jwright hasborg com)
> Title: 15 TOTOLINK router models vulnerable to multiple RCEs
> Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
> Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnera
ble-to-multiple-RCEs.html
> Date published: 2015-07-16
> Vendors contacted: None
> Release mode: 0days, Released
> CVE: no current CVE

This was my morning LOL:

$ curl -O http://totolink.net/include/download.asp?path=down/010300&file=TOTOLINK%
20N300RG_8_70.zip
$ unzip TOTOLINK\ N300RG_8_70.bin
$ binwalk -e TOTOLINK\ N300RG_8_70.bin

DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------
--------
0 0x0 uImage header, header size: 64 bytes, header CRC: 0xB0D462F0, created: 2013-08-19 07:55:35, image size: 1875904 bytes, Data Address: 0x80000000, Entry Point: 0x802CB000, data CRC: 0x6F60CB3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "zn300rg"
64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3038108 bytes
864256 0xD3000 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 1010967 bytes, 352 inodes, blocksize: 65536 bytes, created: 2013-08-19 07:55:31

$ grep -hR cgi-bin _TOTOLINK\ N300RG_8_70.bin.extracted/ 2>/dev/null
<meta http-equiv=refresh content="0; URL=/cgi-bin/timepro.cgi?tmenu=main_frame&smenu=main_frame">
winurl = "/cgi-bin/timepro.cgi?tmenu=popup&smenu="+flag;
Binary file _TOTOLINK N300RG_8_70.bin.extracted/squashfs-root/bin/timepro.cgi matches
Binary file _TOTOLINK N300RG_8_70.bin.extracted/squashfs-root/bin/login-cgi/login.cgi matches
ScriptAlias /cgi-bin/ /bin/
Auth /cgi-bin /etc/httpd.passwd

I assume the conversation went like this:

DEV1: We need access to shell commands for the admin interface!
DEV2: OK, letâ??s ScriptAlias the system /bin directory to /cgi-bin/.
DEV1: Good idea.
FIN

-Josh
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVp5GIAAoJEAYiZejnJoPSP/EP/iMGA8UWAXcwhvNCcfjLNHx1
SwG6k0qgels3T2ogof/79axfghjRmMQpYvUsw11YjUSe7HihrpvSgfO3lUuC2XXn
TGhb0l7lfZTXpW68LOvD1u8tWek67eOG8+/hTwOq1kIG9QPQc3Gc1kW+54yEZT2F
s782DinVhq3R3NZheXyfFY2zyiOH21xbWFK+XNa1tkeRe7KoLo0AU5zOA949eM49
P8Y4h9iLzlLO5hDi2zyCt+/oENDcbe0dTr9ak6z/ekaNrcWSKLrVrsQ9mn3jC+3J
yvf/Dxf7BZJfVRh3t+EVBlpwOSmb322TrIOqoRDSCDbJsaXs6sPQ7fkboNoODI0E
ivzzkj4/P5ZVyDopoHsDSN/RAT+HYXDlGaoavkwXVhZdATXiUKqaHkis1SjAM02u
KrNnAoDkGRQ6lLg4I4n1Jd9qH5FF6YS1lSijZu77w98pp5rfW/MwNywFCGkqLOvO
VurWAfME6sWyn3Ij+U9LIWVtB/drkCa8pCeKv8YAfVI+kgxuy5PIDjHrtvJi7A1T
QJYKESVAG5GV3SHFl9pN2dPcFZrD0udKOPogwgkEgTAlMVkYdrW3qcish3Ed9yZu
kX7mNagrj/OE+kcdAALXALBQWdz75KGpbR1OsZfd3RRyqI3ohrM/KmBcfW4Ah8eG
6u84hbj0dS68ZSWRVPD9
=wM8w
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus