| 제목 | LBlink BL-AC3600 1.0.22 Command Injection |
|---|
| 설명 | BL-AC3600
Version 1.0.22
The password modification function lacks content filtering, resulting in a command injection vulnerability.
Technical Analysis:
● v8 is a pointer to the routepwd field
● v9 represents the user-input value
● The strcpy function copies the value of v9 to v37
● easy_uci_set_option_string_0 concatenates "chpasswd.sh root" with v37 and passes it to v36
● The concatenated string is directly executed by the system function
●
Proof of Concept:
1. Craft malicious request packet
2. Observe "Operation Successful" response
3. Successfully establish reverse shell
Vulnerability Validation:
Command injection confirmed through reverse shell acquisition.
|
|---|
| 원천 | ⚠️ https://github.com/GrayLxton/BLink_poc |
|---|
| 사용자 | Gray (UID 84168) |
|---|
| 제출 | 2025. 04. 16. PM 09:15 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 04. 29. AM 07:43 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 306513 [LB-LINK BL-AC3600 까지 1.0.22 Password /cgi-bin/lighttpd.cgi easy_uci_set_option_string_0 routepwd 권한 상승] |
|---|
| 포인트들 | 20 |
|---|