| 标题 | Totolink X6000R V9.4.0cu.1360_B20241207/V9.4.0cu.1498_B20250826 OS Command Injection |
|---|
| 描述 | A critical vulnerability was found in Totolink X6000R V9.4.0cu.1360_B20241207 and V9.4.0cu.1498_B20250826. The setLanCfg handler in /usr/sbin/shttpd passes the hostname parameter unsanitized into the shell command: echo '%s' > /proc/sys/kernel/hostname. The input validation function at 0x417cb4 fails to block single quote (0x27), double quote (0x22), output redirection (>), and comment character (#). An authenticated attacker can inject hostname=x'+>/etc/crontabs/root+# to escape the quoted context, redirect output to arbitrary files, and achieve persistent Remote Code Execution via cron job injection. This vulnerability is distinct from CVE-2025-52905/52906/52907 which target different handlers (setDiagnosisCfg/setTracerouteCfg) using a different attack vector. |
|---|
| 用户 | 1935648903 (UID 91849) |
|---|
| 提交 | 2026-03-09 10時03分 (22 日前) |
|---|
| 管理 | 2026-03-23 06時44分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 352475 [TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826 /usr/sbin/shttpd setLanCfg 主机名 权限提升] |
|---|
| 积分 | 17 |
|---|