| Título | Totolink X6000R V9.4.0cu.1360_B20241207/V9.4.0cu.1498_B20250826 OS Command Injection |
|---|
| Descripción | A critical vulnerability was found in Totolink X6000R V9.4.0cu.1360_B20241207 and V9.4.0cu.1498_B20250826. The setLanCfg handler in /usr/sbin/shttpd passes the hostname parameter unsanitized into the shell command: echo '%s' > /proc/sys/kernel/hostname. The input validation function at 0x417cb4 fails to block single quote (0x27), double quote (0x22), output redirection (>), and comment character (#). An authenticated attacker can inject hostname=x'+>/etc/crontabs/root+# to escape the quoted context, redirect output to arbitrary files, and achieve persistent Remote Code Execution via cron job injection. This vulnerability is distinct from CVE-2025-52905/52906/52907 which target different handlers (setDiagnosisCfg/setTracerouteCfg) using a different attack vector. |
|---|
| Usuario | 1935648903 (UID 91849) |
|---|
| Sumisión | 2026-03-09 10:03 (hace 21 días) |
|---|
| Moderación | 2026-03-23 06:44 (14 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 352475 [TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826 /usr/sbin/shttpd setLanCfg Nombre de host escalada de privilegios] |
|---|
| Puntos | 17 |
|---|