ToToLink A3300R Command Injection Vulnerability in cgi-bin/cstecgi.cgi

A command injection vulnerability has been identified in ToToLink A3300R firmware version 17.0.0cu.557_B20221024. The issue arises in the cgi-bin/cstecgi.cgi script, where the 'week' parameter can be manipulated to execute arbitrary commands. This vulnerability exploits the sub_414614 function, which retrieves the 'week' value from the request and passes it to the Uci_Set_Str function. The Uci_Set_Str function concatenates the input using sprintf and sends it to CsteSystem for execution. The CsteSystem function then wraps the command and executes it via execv, allowing for arbitrary command execution on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to /cgi-bin/cstecgi.cgi with a crafted 'week' parameter. The value should include a command, such as a wget request, which will be executed on the device. Ensure that the request includes the appropriate headers and payload to mimic a legitimate XMLHttpRequest.