TOTOLINK A950RG Router Command Injection Vulnerability

A command injection vulnerability has been identified in the TOTOLINK A950RG Router, specifically in the firmware version V5.9c.4592_B20191022_ALL. The issue resides within the 'system.so' binary, in the 'setDiagnosisCfg' function. This function retrieves the 'ipDoamin' parameter from user input using 'websGetVar', and directly concatenates it into a 'ping' system command executed via 'CsteSystem()', without any form of input sanitization. As a result, an unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device by sending specially crafted HTTP requests to the router's web interface.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/system.cgi' on the router's web interface. Include the 'ipDoamin' parameter in the request body, and append the desired command to be executed on the device. The injected command will be executed with the same privileges as the router's system commands.