> Title: 15 TOTOLINK router models vulnerable to multiple RCEs > Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt > Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html > Date published: 2015-07-16 > Vendors contacted: None > Release mode: 0days, Released > CVE: no current CVE This was my morning LOL: $ curl -O http://totolink.net/include/download.asp?path=down/010300&file=TOTOLINK%20N300RG_8_70.zip $ unzip TOTOLINK\ N300RG_8_70.bin $ binwalk -e TOTOLINK\ N300RG_8_70.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 uImage header, header size: 64 bytes, header CRC: 0xB0D462F0, created: 2013-08-19 07:55:35, image size: 1875904 bytes, Data Address: 0x80000000, Entry Point: 0x802CB000, data CRC: 0x6F60CB3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "zn300rg" 64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3038108 bytes 864256 0xD3000 Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 1010967 bytes, 352 inodes, blocksize: 65536 bytes, created: 2013-08-19 07:55:31 $ grep -hR cgi-bin _TOTOLINK\ N300RG_8_70.bin.extracted/ 2>/dev/null <meta http-equiv=refresh content="0; URL=/cgi-bin/timepro.cgi?tmenu=main_frame&smenu=main_frame"> winurl = "/cgi-bin/timepro.cgi?tmenu=popup&smenu="+flag; Binary file _TOTOLINK N300RG_8_70.bin.extracted/squashfs-root/bin/timepro.cgi matches Binary file _TOTOLINK N300RG_8_70.bin.extracted/squashfs-root/bin/login-cgi/login.cgi matches ScriptAlias /cgi-bin/ /bin/ Auth /cgi-bin /etc/httpd.passwd I assume the conversation went like this: DEV1: We need access to shell commands for the admin interface! DEV2: OK, let’s ScriptAlias the system /bin directory to /cgi-bin/. DEV1: Good idea. FIN -Josh
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
