New Bug in Router NR1800X — Command injection via setUssd

Hi and welcome to all readers of this post.

In a Mitre publication, a vulnerability of a TOTOLink NR1800X router (CVE-2022–41525) version V9.1.0u.6279_B20210910 appeared, which caught my attention so I kept learning more about the vulnerability.

Vendor — https://www.totolink.net

Wrapping up a bit more on the reported vulnerability, I proceeded to do some tests like emulating the firmware and starting my script in Ghidra to identify other potentially dangerous functions (Rce / BoF).

As a result I get a large list of promising functions (strcpy / system / etc). One of them is highlighted in the image (0x0041a68c), pointing to the function that contains the vulnerability.

After I’ve already used Ghidra, I continued to analyze the binary cstecgi.cgi in IDA. (The use of multiple tools is only for convenience).

Starting with the analysis on the function we can quickly see the vulnerability where the v17 buffer is formatted on line 26 and then sent as a parameter by the system() function.

After finding out what the function name (setUssd) that executes the ussdaction, I was able to recreate a payload in burpSuite to start the telnetd service on the router.

Finally develop the exploit by concatenating two vulnerabilities. The first is a request to bypass authentication, which gets the session to be sent to the second request that exploits code execution.

Poc Video

https://www.youtube.com/watch?v=Mcutnejlepk

原文始发于Miguel Méndez Z.：New Bug in Router NR1800X — Command injection via setUssd