ToToLink A720R Router Command Injection Vulnerability in sysconf Binary

A command injection vulnerability has been identified in the ToToLink A720R Router running firmware V4.1.5cu.614_B20230630. The issue resides within the sysconf binary, specifically in the sub_40BFA4 function, which manages network interface reinitialization by reading from '/var/system/linux_vlan_reinit'. The vulnerability arises because input is only partially validated—interface name prefixes are checked—but the data is then concatenated into shell commands executed via the system() function, without proper escaping. An attacker with write access to the '/var/system/linux_vlan_reinit' file can exploit this flaw to execute arbitrary commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, create a malicious configuration file named 'linux_vlan_reinit' in the '/var/system/' directory. The file should contain interface names (such as 'eth0' or 'wlan0') followed by a command, such as 'ls > /tmp/result.txt', which directs the output to a file in the '/tmp' directory. Once the file is prepared, the sysconf binary can be executed, which will read the crafted file and execute the injected commands via the command injection vulnerability.