TOTOLINK A3000RU Command Injection

By

Zioncom (Hong Kong) Technology Limited also know as TOTOLINK is a professional manufacturer for network communication products, including Wireless Router/AP (Indoor & Outdoor), Wireless USB Adapter, Wireless Module, Switch and Wired Router. ZIONCOM (HK) was established on 1999.

A3000RU is a wireless router complies with the latest IEEE 802.11ac wave2 Wi-Fi standard, with MU-MIMO technology offering continual high speed data transmission for multiple devices at the same time.

Command injection vulnerability exists in TOTOLINK A3000RU router.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

TOTOLINK A3000RU Command Injection | CVE-2022-25075
TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the “Main” function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

In the following exploit the attacker can pass commands like ‘wget’ via the query string . This command is used to download toto.sh script from the attacker controlled website. The attacker then changes the permissions of the script and executes the malicious script on the device.

 

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15515:TOTOLINK A3000RU Command Injection

IoCs
179.43.142.11
36db973e85684633846a2cd9c46ca48896b5703b9aeb174b1f741633428f68c1

Threat Graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.