| Titel | Format string bypasses input validation, leads to RCE in multiple TOTOlink devices |
|---|
| Beschreibung | A special character isn't blacklisted in function `Validity_check`, bypasses the input validation, allowed attacker executes remote OS command execution as root. It looks like the function `doSystem` is vulnerable against format string. Attacker can execute the payload after character `%` as a new command due to unknown reason in the code's logic. The vulnerability was tested and confirmed on TOTOLink N200RE V5, version V9.3.5u.6437_B20230519. All command that shares the same code base should be vulnerable too (Such as TOTOLINK EX1200T V4.1.2cu.5215 CVE-2021-42875, TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 CVE-2023-4410 and so on). The real number of vulnerable firmware / device is unknown. |
|---|
| Quelle | ⚠️ https://gist.github.com/dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80 |
|---|
| Benutzer | dmknght (UID 51830) |
|---|
| Einreichung | 27.08.2023 10:18 (vor 3 Jahren) |
|---|
| Moderieren | 03.09.2023 08:49 (7 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 238635 [TOTOLINK N200RE V5 9.3.5u.6437_B20230519 Validity_check Format String] |
|---|
| Punkte | 20 |
|---|