| Título | Format string bypasses input validation, leads to RCE in multiple TOTOlink devices |
|---|
| Descripción | A special character isn't blacklisted in function `Validity_check`, bypasses the input validation, allowed attacker executes remote OS command execution as root. It looks like the function `doSystem` is vulnerable against format string. Attacker can execute the payload after character `%` as a new command due to unknown reason in the code's logic. The vulnerability was tested and confirmed on TOTOLink N200RE V5, version V9.3.5u.6437_B20230519. All command that shares the same code base should be vulnerable too (Such as TOTOLINK EX1200T V4.1.2cu.5215 CVE-2021-42875, TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 CVE-2023-4410 and so on). The real number of vulnerable firmware / device is unknown. |
|---|
| Fuente | ⚠️ https://gist.github.com/dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80 |
|---|
| Usuario | dmknght (UID 51830) |
|---|
| Sumisión | 2023-08-27 10:18 (hace 3 años) |
|---|
| Moderación | 2023-09-03 08:49 (7 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 238635 [TOTOLINK N200RE V5 9.3.5u.6437_B20230519 Validity_check Format String] |
|---|
| Puntos | 20 |
|---|