| タイトル | Totolink X6000R V9.4.0cu.1360_B20241207/V9.4.0cu.1498_B20250826 OS Command Injection |
|---|
| 説明 | A critical vulnerability was found in Totolink X6000R V9.4.0cu.1360_B20241207 and V9.4.0cu.1498_B20250826. The setLanCfg handler in /usr/sbin/shttpd passes the hostname parameter unsanitized into the shell command: echo '%s' > /proc/sys/kernel/hostname. The input validation function at 0x417cb4 fails to block single quote (0x27), double quote (0x22), output redirection (>), and comment character (#). An authenticated attacker can inject hostname=x'+>/etc/crontabs/root+# to escape the quoted context, redirect output to arbitrary files, and achieve persistent Remote Code Execution via cron job injection. This vulnerability is distinct from CVE-2025-52905/52906/52907 which target different handlers (setDiagnosisCfg/setTracerouteCfg) using a different attack vector. |
|---|
| ユーザー | 1935648903 (UID 91849) |
|---|
| 送信 | 2026年03月09日 10:03 (21 日 ago) |
|---|
| モデレーション | 2026年03月23日 06:44 (14 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 352475 [TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826 /usr/sbin/shttpd setLanCfg ホスト名 特権昇格] |
|---|
| ポイント | 17 |
|---|