| タイトル | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 OS Command Injection |
|---|
| 説明 | The vulnerability is located in the setUpgradeUboot handler within upgrade.so. The web management interface retrieves the user-controlled FileName parameter and passes it into the bootloader upgrade routine. This endpoint can be reached remotely without authentication and does not require user interaction.
The root cause is improper neutralization of externally supplied input before it is embedded into shell command strings. The FileName value is forwarded to mtd_write_bootloader(), where it is inserted directly into command templates and executed through CsteSystem(). Because no sanitization or escaping is applied, shell metacharacters in FileName can terminate the intended command context and inject arbitrary operating system commands. |
|---|
| ソース | ⚠️ https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE |
|---|
| ユーザー | xuanyu (UID 36103) |
|---|
| 送信 | 2026年04月03日 16:17 (23 日 ago) |
|---|
| モデレーション | 2026年04月12日 20:06 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 357038 [Totolink N300RH 6.1c.1353_B20190305 upgrade.so setUpgradeUboot FileName 特権昇格] |
|---|
| ポイント | 20 |
|---|