Submeter #200459: Format string bypasses input validation, leads to RCE in multiple TOTOlink devicesinformação

TítuloFormat string bypasses input validation, leads to RCE in multiple TOTOlink devices
DescriçãoA special character isn't blacklisted in function `Validity_check`, bypasses the input validation, allowed attacker executes remote OS command execution as root. It looks like the function `doSystem` is vulnerable against format string. Attacker can execute the payload after character `%` as a new command due to unknown reason in the code's logic. The vulnerability was tested and confirmed on TOTOLink N200RE V5, version V9.3.5u.6437_B20230519. All command that shares the same code base should be vulnerable too (Such as TOTOLINK EX1200T V4.1.2cu.5215 CVE-2021-42875, TOTOLINK EX1200L EN_V9.3.5u.6146_B20201023 CVE-2023-4410 and so on). The real number of vulnerable firmware / device is unknown.
Fonte⚠️ https://gist.github.com/dmknght/8f3b6aa65e9d08f45b5236c6e9ab8d80
Utilizador
 dmknght (UID 51830)
Submissão27/08/2023 10h18 (há 3 anos)
Moderação03/09/2023 08h49 (7 days later)
EstadoAceite
Entrada VulDB238635 [TOTOLINK N200RE V5 9.3.5u.6437_B20230519 Validity_check Format String]
Pontos20

Do you need the next level of professionalism?

Upgrade your account now!