إرسال #189820: Blind remote OS command injection in Host Name on TOTOLink EX1200Lالمعلومات

عنوان	Blind remote OS command injection in Host Name on TOTOLink EX1200L
الوصف	## Description and impact Function `setWanCfg` executes os command `echo` to overwrite hostname. An attacker can execute remote os command using crafted payload at `Host Name`. ## Root-cause When the function `setWanCfg` is called, it crafts os command following syntax `echo '%s' > /proc/sys/kernel/hostname`. The value of `Host name` is not validated. An attacker can send crafted payload to execute OS command. ![image](https://user-images.githubusercontent.com/29118926/257681580-135b9274-1f06-4a2b-b5cd-6c820e78a178.png)
المصدر	⚠️ https://gist.github.com/dmknght/02a29e1c5ae18b45eacc2085d22068e8
المستخدم	dmknght (UID 51830)
ارسال	02/08/2023 04:38 AM (3 سنوات منذ)
الاعتدال	18/08/2023 10:04 AM (16 days later)
الحالة	تمت الموافقة
إدخال VulDB	237515 [TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 setWanCfg تجاوز الصلاحيات]
النقاط	20

Might our Artificial Intelligence support you?

Check our Alexa App!