TOTOLINK N300RB Command Injection Vulnerability in Remote Support Feature

A command injection vulnerability has been identified in the TOTOLINK N300RB router, specifically in firmware version 8.54. The issue arises from a hidden remote support feature that is protected by a static secret. This vulnerability allows an authenticated attacker to execute arbitrary operating system commands with root privileges. The exploitation requires the remote support feature to be enabled and the attacker to have knowledge of the secret.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router with root privileges.

Reproduction

To reproduce this vulnerability, first upload a modified configuration file that enables the remote support feature. This can be done by downloading the current configuration, adding the line 'remote_support=1' to the 'etc/iconfig.cfg' file, and then uploading the modified configuration back to the router. Once the remote support feature is enabled, access the debug interface by sending a request to '/cgi-bin/d.cgi' with the 'act' parameter set to '1' and the 'aaksjdkfj' parameter set to '#notenoughmineral^'. This will trigger the hidden interface, where commands can be executed with root privileges.