TOTOLINK A3700R Improper Access Control Vulnerability in UPnP Configuration

A critical improper access control vulnerability has been identified in the TOTOLINK A3700R router, specifically in version 9.1.2u.5822_B20200513. The issue resides within the web management interface, particularly in the 'setUPnPCfg' function of the '/cgi-bin/cstecgi.cgi' file. This vulnerability allows remote attackers to manipulate UPnP settings by sending unauthenticated HTTP POST requests with specific headers. The lack of proper access controls enables unauthorized users to alter the device's UPnP service, potentially leading to further exploitation or network vulnerabilities.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the UPnP service settings on the affected router, which could be used to facilitate other attacks or manipulate network traffic.

Reproduction

To reproduce this vulnerability, send an unauthenticated HTTP POST request to the '/cgi-bin/cstecgi.cgi' endpoint. Include a header set to 'setUPnPCfg' and a payload that manipulates the UPnP service configuration. The absence of authentication requirements allows this attack to be executed remotely.