ToToLink A3300R Command Injection Vulnerability in cgi-bin/cstecgi.cgi

A command injection vulnerability has been identified in ToToLink A3300R firmware version 17.0.0cu.557_B20221024. The issue allows attackers to execute arbitrary commands by exploiting the pppoeMtu parameter in the cgi-bin/cstecgi.cgi script. The vulnerability arises because the sub_422380 function retrieves the pppoeMtu value from the request and passes it to the Uci_Set_Str function, which concatenates it into a command that is executed via the CsteSystem function.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to /cgi-bin/cstecgi.cgi with the pppoeMtu parameter set to a crafted value that includes a command, such as a wget command to download a file from a remote server. The request should include the necessary headers and payload to mimic a legitimate XMLHttpRequest.