TOTOLINK A950RG Command Execution Vulnerability in setDeviceName Interface

A command execution vulnerability has been identified in the TOTOLINK A950RG router, specifically in firmware version V4.1.2cu.5204_B20210112. The issue arises within the setDeviceName interface of the /lib/cste_modules/global.so library, where the deviceMac parameter is processed. This vulnerability allows attackers to inject arbitrary system commands by exploiting insufficient input validation of user-supplied parameters. Malicious requests can be crafted to execute commands on the router, potentially leading to unauthorized control over the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router, with the potential for complete system compromise.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include a JSON payload that specifies the topicurl as 'setting/setDeviceName'. The deviceMac parameter should be crafted to include injected commands, such as 'a',; telnetd &', which exploits the command execution flaw. Once the request is sent, the injected commands will be executed on the router, as confirmed by the successful activation of the Telnet service, providing shell access to the device.