Overview

• Vendor: TOTOLINK
• Product: Totolink X6000R
• Version: V9.4.0cu.1360_B20241207
• Manufacturer's address：https://www.totolink.net/
• Firmware download address : https://www.totolink.net/data/upload/20250328/7a1a804767bc5b1196c480f62c40a20e.rar
• Author: dtro and datnlq from VietSunshine Cyber Security Services

Vulnerability details

Totolink X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.

Analyse

• In the binary file shttp, the function sub_4184C0 retrieves the tz parameter, passes it to register X25 , and then calls Uci_Set_Str

• Call the function uci_set_str to set the values for timezone and NTP using register X25, then the function set_timezone_to_kernel is called

• In the binary file libcscommon.so , the function set_timezone_to_kernel, it calls the function uci_get_str to retrieve the previously set values for timezone and NTP, then passes them to the function do_system.

Request