A potentially dangerous command injection vulnerability has been discovered in the TOTOlink A710RU V7.4cu.2313_B20191024 firmware. In this blog post, we will explore the details of this vulnerability, including the root cause, a brief look into the code snippets, links to the original references, and how an attacker can potentially exploit this vulnerability.

Vulnerability Overview

The primary cause of this vulnerability is improper handling of user input by the setting/setOpenVpnCfg function, which allows for arbitrary command execution through the 'pass' parameter. An attacker can exploit this flaw to execute arbitrary code with root privileges, potentially enabling them to take full control of a vulnerable device.

Original References

The vulnerability is documented in the MITRE database as CVE-2022-44844. The details and technical specifications can be found at the following sources:

- MITRE CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44844
- NIST National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-44844

The code snippet below showcases the vulnerability in the setting/setOpenVpnCfg function

void setting_OpenVpnCfg(char* username, char* pass, int enable) {
    char command[1024];

    // ...

    if (pass) {
        // ... (validate the pass variable)

        // Vulnerable: User-supplied input is passed directly to the 'popen' function.
        snprintf(command, sizeof(command), "echo '%s' > /etc/openvpn/auth/%s", pass, "password");
        FILE *fd = popen(command, "r");

        // ...
    }

    // ...
}

In the code snippet above, the user-supplied pass variable is directly passed to the 'popen' function in an insecure manner. This enables an attacker to craft a malicious input containing arbitrary shell commands that are executed with root privileges.

Exploiting the Vulnerability

To exploit this vulnerability, an attacker could connect to the TOTOlink A710RU V7.4cu.2313_B20191024 web interface and submit a crafted value to the 'pass' parameter in the setting/setOpenVpnCfg function.

For instance, the attacker could use an input like the following

my_password; [MALICIOUS_COMMAND];  


When passed to the 'popen' function, the malicious_command will be executed with root privileges.

For a practical example, an attacker could infect the device with malware, exploit its resources, or leak sensitive information. The exploit becomes even more severe if the device is not behind a firewall or secured in some other way, which would enable the attacker to attack other devices on the local network or even gain access to additional servers.

Conclusion and Recommendations

The command injection vulnerability in TOTOlink A710RU V7.4cu.2313_B20191024 is a serious security issue that could allow an attacker to take full control of a vulnerable device. It is recommended that users of this firmware version update to the latest version as soon as possible, which should resolve the vulnerability. Additionally, users should always change the default passwords and settings on their devices and regularly apply security patches to protect their systems from such security risks.

Timeline

Published on: 11/25/2022 20:15:00 UTC
Last modified on: 12/01/2022 17:48:00 UTC