ToToLink A720R Router Command Injection Vulnerability

A command injection vulnerability has been identified in the ToToLink A720R Router running firmware V4.1.5cu.614_B20230630. The issue resides within the cloudupdate_check binary, specifically in the sub_402414 function, which processes cloud update parameters. User-supplied 'magicid' and 'url' values are directly appended to shell commands and executed via the system() function, without any form of sanitization or escaping. This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/cloud_update.cgi' endpoint. The request must include the 'Var' parameter set to '3.0', 'mode' set to '1', and the 'url' parameter containing a URL followed by a command (e.g., 'ifconfig'). The 'magicid' parameter can be set to a fixed value, such as 'SAFE'.