TOTOLINK N600R Command Injection Vulnerability

A command injection vulnerability has been identified in the TOTOLINK N600R router, specifically in the firmware version 4.3.0cu.7866_B20220506. The issue arises in the web CGI binary '/web_cste/cgi-bin/cstecgi.cgi', within the function 'sub_4159F8'. This vulnerability allows pre-authentication command injection, where an unauthenticated attacker can execute arbitrary system commands by sending specially crafted payloads. The exploitation can be performed remotely, without the need for authentication.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'topicurl' parameter set to 'setting/setLanguageCfg' and the 'langType' parameter containing the payload for command execution, such as a command substitution using backticks. This request can be made using tools like curl or Postman, or through a simple Python script that automates the process.