Totolink WA300 OS Command Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in the Totolink WA300 router, specifically in the firmware version 5.2cu.7112_B20190227. The issue arises in the 'setAPNetwork' function within the '/cgi-bin/cstecgi.cgi' file, where the 'Ipaddr' parameter is manipulated to inject operating system commands. The vulnerability exists because the server fails to properly validate or sanitize the input before executing it as a system command, allowing unauthorized remote attackers to execute arbitrary commands with root privileges on the device.

Impact

Exploitation of this vulnerability allows for arbitrary operating system command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'Ipaddr' parameter containing a command injection payload, such as a command wrapped in backticks. The injected command will be executed on the device's operating system.