TOTOLINK X5000R OS Command Injection Vulnerability in setScheduleCfg

A command injection vulnerability has been identified in the TOTOLINK X5000R router, specifically in firmware version 9.1.0cu.2350_b20230313. The vulnerability resides in the web interface, within the 'setScheduleCfg' function of the CGI binary '/web/cgi-bin/cstecgi.cgi'. Authenticated attackers can exploit this issue by sending crafted requests that include malicious commands, which are then executed on the operating system.

Impact

Exploitation of this vulnerability allows authenticated attackers to execute arbitrary commands on the device's operating system.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'switch', 'week', 'hour', 'minute', and 'recHour' parameters. Include the 'topicurl' parameter set to 'setScheduleCfg' and a valid 'token'. The 'switch', 'week', 'hour', 'minute', and 'recHour' parameters can be crafted to include malicious payloads, such as command injection attempts. Once the request is sent, the injected commands will be executed on the device.