Open in app

Sign up

Sign in

Write

Sign up

Sign in

New Bug in Router NR1800X — Command injection via setUssd

Miguel Méndez Z.
InfoSec Write-ups
Published in
3 min readNov 10, 2022

--

Hi and welcome to all readers of this post.

In a Mitre publication, a vulnerability of a TOTOLink NR1800X router (CVE-2022–41525) version V9.1.0u.6279_B20210910 appeared, which caught my attention so I kept learning more about the vulnerability.

Vendor — https://www.totolink.net

Wrapping up a bit more on the reported vulnerability, I proceeded to do some tests like emulating the firmware and starting my script in Ghidra to identify other potentially dangerous functions (Rce / BoF).

As a result I get a large list of promising functions (strcpy / system / etc). One of them is highlighted in the image (0x0041a68c), pointing to the function that contains the vulnerability.

Function list

After I’ve already used Ghidra, I continued to analyze the binary cstecgi.cgi in IDA. (The use of multiple tools is only for convenience).

Starting with the static analysis on the function we can quickly see the vulnerability where the v17 buffer is formatted on line 26 and then sent as a parameter by the system() function.

Reversing in IDA

Now to see in greater detail we are going to see the whole process of how the parameters are passed to memory, debugging the firmware in system mode.

First we put a breakpoint in the websGetVar() function that is responsible for obtaining the values sent in the request body. In this case, it validates that the value sent is ussd.

send data via request

Then the string is formatted with snprintf(), which is stored in buffer 0x7fff5230.

formating string

Here we can see how the formatted string finally looks in the buffer.

buffer with data

Finally, the call to the system() function is made with the stack parameters.

call system()

And for the execution of the command to be possible, it is necessary to identify the name setUssd that activates the action, and with this we can recreate a payload to start the telnetd service in the router.

Request PoC

Finally develop the exploit by concatenating two vulnerabilities. The first is a request to bypass authentication, which gets the session to be sent to the second request that exploits code execution.

Exploit

Poc Video

https://www.youtube.com/watch?v=Mcutnejlepk

Conclusion

New (0Day) vulnerabilities can always be found in already analyzed systems.

Blog

Miguel M.Z - @s1kr10s

Edit description

s1kr10s.github.io

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!

--

--

Miguel Méndez Z.
InfoSec Write-ups
Follow

Written by Miguel Méndez Z.

129 Followers

https://s1kr10s.github.io/whoami.html — @s1kr10s

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams