ToToLink A3300R Command Injection Vulnerability in cgi-bin/cstecgi.cgi

A command injection vulnerability has been identified in ToToLink A3300R firmware version 17.0.0cu.557_B20221024. The issue allows attackers to execute arbitrary commands by exploiting the 'mode' parameter in the '/cgi-bin/cstecgi.cgi' script. The vulnerability arises because the 'mode' parameter is not properly sanitized before being passed to a system execution function.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'mode' parameter set to a crafted value that includes the desired command. The request should be made with the appropriate headers to mimic a legitimate XMLHttpRequest. Once the command is executed, the outcome can be verified by checking the response or the effects of the command execution.