lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <A833A8AC-4E21-49A6-87D8-285A0FF8B981@hasborg.com>
Date: Thu, 16 Jul 2015 07:12:07 -0400
From: Joshua Wright <jwright@...borg.com>
To: Pierre Kim <pierre.kim.sec@...il.com>
Cc: fulldisclosure <fulldisclosure@...lists.org>, bugtraq@...urityfocus.com
Subject: Re: [FD] 15 TOTOLINK router models vulnerable to multiple RCEs

> Title: 15 TOTOLINK router models vulnerable to multiple RCEs
> Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt
> Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
> Date published: 2015-07-16
> Vendors contacted: None
> Release mode: 0days, Released
> CVE: no current CVE

This was my morning LOL:

$ curl -O http://totolink.net/include/download.asp?path=down/010300&file=TOTOLINK%20N300RG_8_70.zip
$ unzip TOTOLINK\ N300RG_8_70.bin
$ binwalk -e TOTOLINK\ N300RG_8_70.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0xB0D462F0, created: 2013-08-19 07:55:35, image size: 1875904 bytes, Data Address: 0x80000000, Entry Point: 0x802CB000, data CRC: 0x6F60CB3, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "zn300rg"
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3038108 bytes
864256        0xD3000         Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 1010967 bytes, 352 inodes, blocksize: 65536 bytes, created: 2013-08-19 07:55:31

$ grep -hR cgi-bin _TOTOLINK\ N300RG_8_70.bin.extracted/ 2>/dev/null
<meta http-equiv=refresh content="0; URL=/cgi-bin/timepro.cgi?tmenu=main_frame&smenu=main_frame">
   winurl = "/cgi-bin/timepro.cgi?tmenu=popup&smenu="+flag;
Binary file _TOTOLINK N300RG_8_70.bin.extracted/squashfs-root/bin/timepro.cgi matches
Binary file _TOTOLINK N300RG_8_70.bin.extracted/squashfs-root/bin/login-cgi/login.cgi matches
ScriptAlias /cgi-bin/ /bin/
Auth /cgi-bin /etc/httpd.passwd

I assume the conversation went like this:

DEV1: We need access to shell commands for the admin interface!
DEV2: OK, let’s ScriptAlias the system /bin directory to /cgi-bin/.
DEV1: Good idea.
FIN

-Josh

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ