ToToLink LR1200GB Router Unauthenticated Command Injection Vulnerability

A command injection vulnerability has been identified in the ToToLink LR1200GB Router, specifically in the firmware version V9.1.0u.6619_B20230130. The issue resides within the cstecgi.cgi binary, in a function that processes the 'imei' parameter from web requests. The vulnerability allows unauthenticated users to execute arbitrary commands on the router. The 'imei' parameter is only length-validated before being inserted into a system command using sprintf(), and then executed with the system() function. This lack of proper input sanitization enables the execution of maliciously crafted IMEI inputs as commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/cstecgi.cgi' endpoint with an 'imei' parameter. The value of the 'imei' parameter should be crafted to include the desired command, such as 'uname -a', which will be executed on the router.