| Название | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 OS Command Injection |
|---|
| Описание | The vulnerability is located in the setUpgradeUboot handler within upgrade.so. The web management interface retrieves the user-controlled FileName parameter and passes it into the bootloader upgrade routine. This endpoint can be reached remotely without authentication and does not require user interaction.
The root cause is improper neutralization of externally supplied input before it is embedded into shell command strings. The FileName value is forwarded to mtd_write_bootloader(), where it is inserted directly into command templates and executed through CsteSystem(). Because no sanitization or escaping is applied, shell metacharacters in FileName can terminate the intended command context and inject arbitrary operating system commands. |
|---|
| Источник | ⚠️ https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE |
|---|
| Пользователь | xuanyu (UID 36103) |
|---|
| Представление | 03.04.2026 16:17 (2 месяцы назад) |
|---|
| Модерация | 12.04.2026 20:06 (9 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 357038 [Totolink N300RH 6.1c.1353_B20190305 upgrade.so setUpgradeUboot FileName эскалация привилегий] |
|---|
| Баллы | 20 |
|---|