Security / vulnerability advisories for TOTOLINK A720r Firmware 4.1.5cu.470 B20200911

Description

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-77, Improper Neutralization of Special Elements used in a Command ('Command Injection'): The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

• https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_3/3.md

Description

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the setWiFiWpsStart function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the pin parameter.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-787, Out-of-bounds Write: The software writes data past the end, or before the beginning, of the intended buffer.

References

• https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_4/4.md

Description

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the flag parameter.

Damage

• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-787, Out-of-bounds Write: The software writes data past the end, or before the beginning, of the intended buffer.

References

• https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_5/5.md

Description

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.

Damage

• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-787, Out-of-bounds Write: The software writes data past the end, or before the beginning, of the intended buffer.

References

• https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_6/6.md

Description

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-77, Improper Neutralization of Special Elements used in a Command ('Command Injection'): The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

• https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_1/1.md

Description

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain a stack overflow in the function setNoticeCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IpTo parameter.

Damage

• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-787, Out-of-bounds Write: The software writes data past the end, or before the beginning, of the intended buffer.

References

• https://github.com/pjqwudi/my_vuln/blob/main/totolink/vuln_2/2.md

Description

totolink EX300_v2, ver V4.0.3c.140_B20210429 and A720R ,ver V4.1.5cu.470_B20200911 have an issue which causes uncontrolled resource consumption.

Damage

• Full Denial Of Service (DoS).

Attack conditions

• Attacking requires physical proximity to the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-400, Uncontrolled Resource Consumption: The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

• https://github.com/chibataiki/iot-vuls/blob/main/totolink/dos.md

Description

A vulnerability in TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to start the Telnet service, then login with the default credentials via a crafted POST request.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-862, Missing Authorization: The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

• https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_default_telnet_info.md

Description

A vulnerability in TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows attackers to download the configuration file via sending a crafted HTTP request.

Damage

• Access to all information.

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

References

• https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_leak_config_file.md

Description

A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS).

Damage

• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-787, Out-of-bounds Write: The software writes data past the end, or before the beginning, of the intended buffer.

References

• https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_cookie_overflow.md

Description

A vulnerability in the Form_Login function of TOTOLINK A720R A720R_Firmware V4.1.5cu.470_B20200911 allows attackers to bypass authentication.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-287, Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

• https://github.com/hurricane618/my_cves/blob/master/router/totolink/A720R_login_bypass.md

Description

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-78, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

• https://hackmd.io/Hy3oVgtcQiuqAtv9FdylHw
• https://hackmd.io/KjXzQdjDRjOuRjoZZXQo_A

Description

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS.

Damage

• Complete loss of protection.
• Access to all information.
• Full Denial Of Service (DoS).

Attack conditions

• Remote attacking is possible through the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-78, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

• https://hackmd.io/7FtB06f-SJ-SCfkMYcXYxA
• https://hackmd.io/mDgIBvoxSPCZrZiZjfQGhw