New Bug in Router NR1800X — Command injection via setUssd
Hi and welcome to all readers of this post.
In a Mitre publication, a vulnerability of a TOTOLink NR1800X router (CVE-2022–41525) version V9.1.0u.6279_B20210910 appeared, which caught my attention so I kept learning more about the vulnerability.
Vendor — https://www.totolink.net
Wrapping up a bit more on the reported vulnerability, I proceeded to do some tests like emulating the firmware and starting my script in Ghidra to identify other potentially dangerous functions (Rce / BoF).
As a result I get a large list of promising functions (strcpy / system / etc). One of them is highlighted in the image (0x0041a68c), pointing to the function that contains the vulnerability.
Starting with the analysis on the function we can quickly see the vulnerability where the v17 buffer is formatted on line 26 and then sent as a parameter by the system() function.
After finding out what the function name (setUssd) that executes the ussdaction, I was able to recreate a payload in burpSuite to start the telnetd service on the router.
Finally develop the exploit by concatenating two vulnerabilities. The first is a request to bypass authentication, which gets the session to be sent to the second request that exploits code execution.
原文始发于Miguel Méndez Z.：New Bug in Router NR1800X — Command injection via setUssd
转载请注明：New Bug in Router NR1800X — Command injection via setUssd | CTF导航