CVE-2024-24328 Scanner

CVE-2024-24328 Scanner - Command Injection vulnerability in TotoLink A3300R

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

1 week 22 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

TotoLink A3300R is a dual-band wireless router used primarily in small businesses and home networks to provide internet access and local network connectivity. It supports various network features including port forwarding, MAC filtering, and firewall settings. Manufactured by TotoLink, it is known for its affordability and wide availability in the consumer market. The router is managed through a web-based interface, allowing users to modify settings and configurations. Devices like the A3300R are commonly deployed in homes, apartments, and small office environments. Due to their internet-facing nature, security vulnerabilities in such devices can lead to serious threats.

This scanner detects a critical command injection vulnerability in the TotoLink A3300R router firmware. The vulnerability arises from improper input validation in the `setMacFilterRules` function, specifically within the `enable` parameter. This flaw allows remote attackers to execute arbitrary system commands without authentication. Command injection vulnerabilities like this can lead to full system compromise, especially when running with elevated privileges. The CVSS score of 9.8 reflects the ease of exploitation and the severe potential consequences. This issue impacts firmware version 17.0.0cu.557_B20221024.

The attack vector involves sending a crafted JSON payload via a POST request to the `/cgi-bin/cstecgi.cgi` endpoint. By injecting shell commands into the `enable` parameter, the attacker triggers command execution on the underlying system. In the scanner, the command `ls` is redirected to create a `.txt` file in the web-accessible directory, which is then retrieved using a second GET request. Successful exploitation is confirmed by the presence of expected directory contents (like `bin`, `etc`) in the response file. The vulnerability does not require prior authentication, making it especially dangerous.

If exploited, this vulnerability allows attackers to run arbitrary commands on the device, potentially leading to complete system takeover. Attackers can read sensitive configuration files, modify network settings, or install persistent malware. It could also enable lateral movement within a local network, allowing further compromise of other connected systems. In home and SOHO networks, this can compromise user privacy and network availability. If the device is exposed to the internet, it may be exploited by botnets or used in distributed denial-of-service (DDoS) attacks.

REFERENCES

Get started to protecting your digital assets