TOTOLINK WA300 Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the TOTOLINK WA300 router firmware version 5.2cu.7112_B20190227. The issue resides in the cstecgi.cgi component, specifically within the sub_401510 function. This vulnerability allows remote, unauthenticated attackers to execute arbitrary commands on the device by manipulating the UPLOAD_FILENAME parameter in HTTP upload requests. The vulnerability arises from inadequate validation and sanitization of user-supplied input, which is directly incorporated into system commands executed by the router.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the potential for unauthorized access to the device's functions and data.

Reproduction

To reproduce this vulnerability, send an HTTP request to the device's web management interface with the action parameter set to 'upload'. Include a crafted UPLOAD_FILENAME value that contains the desired command payload. The vulnerable cstecgi.cgi script will execute the command on the device, allowing for remote code execution.