TOTOLINK A810R Command Insertion Vulnerability in downloadFile.cgi

A command insertion vulnerability has been identified in the TOTOLINK A810R router, specifically in the firmware version V4.1.2cu.5032_B20200407. The issue resides within the downloadFile.cgi main function, where the QUERY_STRING can be manipulated to execute arbitrary commands on the system. This exploitation is achieved by injecting commands through the ussd parameter, using shell script delimiters to bypass server-side filters.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by using qemu-system-mipsel to emulate the router's firmware environment. Once the environment is set up, send an HTTP request to the downloadFile.cgi script with a payload that includes the desired command, using shell delimiters to separate commands. For example, a request could be crafted to execute a command that lists files in a specific directory on the device.