| 제목 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 OS Command Injection |
|---|
| 설명 | The vulnerability is located in the setUpgradeUboot handler within upgrade.so. The web management interface retrieves the user-controlled FileName parameter and passes it into the bootloader upgrade routine. This endpoint can be reached remotely without authentication and does not require user interaction.
The root cause is improper neutralization of externally supplied input before it is embedded into shell command strings. The FileName value is forwarded to mtd_write_bootloader(), where it is inserted directly into command templates and executed through CsteSystem(). Because no sanitization or escaping is applied, shell metacharacters in FileName can terminate the intended command context and inject arbitrary operating system commands. |
|---|
| 원천 | ⚠️ https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE |
|---|
| 사용자 | xuanyu (UID 36103) |
|---|
| 제출 | 2026. 04. 03. PM 04:17 (24 날 ago) |
|---|
| 모더레이션 | 2026. 04. 12. PM 08:06 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 357038 [Totolink N300RH 6.1c.1353_B20190305 upgrade.so setUpgradeUboot FileName 권한 상승] |
|---|
| 포인트들 | 20 |
|---|