TOTOLINK A3002R OS Command Injection Vulnerability

Multiple OS command injection vulnerabilities have been identified in the TOTOLINK A3002R router, specifically in version 4.0.0-B20230531.1404. These vulnerabilities arise in the web interface's 'formMapDelDevice' endpoint, where the 'macstr', 'bandstr', and 'clientoff' parameters can be manipulated to execute arbitrary commands on the operating system.

Impact

Exploitation of these vulnerabilities allows for arbitrary command execution on the device's operating system.

Reproduction

The vulnerability can be reproduced by sending a request to the 'formMapDelDevice' endpoint with crafted values for the 'macstr', 'bandstr', and 'clientoff' parameters. The 'macstr' parameter should be injected with a command, such as 'echo 123456 > /tmp/hacked', while the 'clientoff' and 'bandstr' parameters can be used to bypass input validation. After the request is processed, the injected command is executed, and its output can be verified by checking the '/tmp/hacked' file.