ToToLink A3300R Command Injection Vulnerability in cgi-bin/cstecgi.cgi

A command injection vulnerability has been identified in ToToLink A3300R firmware version 17.0.0cu.557_B20221024. The issue arises in the cgi-bin/cstecgi.cgi script, where the stunPort parameter can be manipulated to execute arbitrary commands. This vulnerability allows attackers to send crafted requests that are processed by the device, potentially leading to unauthorized command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to /cgi-bin/cstecgi.cgi with the stunPort parameter set to a crafted value that includes a command, such as a wget command to download a file from a remote server. The request should be formatted as application/x-www-form-urlencoded and include the necessary headers to mimic a legitimate XMLHttpRequest.