Totolink N300RH V4 Unauthenticated OS Command Injection via setWiFiWpsConfig Function

A pre-authentication OS command injection vulnerability exists in the Totolink N300RH V4 router running firmware version 6.1c.1353_B20190305. The vulnerability is located in the CGI handler, specifically within the setWiFiWpsConfig function of the file /cgi-bin/cstecgi.cgi. This issue arises because the function retrieves user-controlled input from the HTTP parameter PIN, and directly embeds it into a shell command using sprintf, without any sanitization. The command is then executed with root privileges via CsteSystem(). As a result, remote attackers can inject arbitrary commands that are executed with full control over the device, potentially compromising the entire network.

Impact

Exploitation of this vulnerability allows for remote, unauthenticated execution of arbitrary commands with root privileges on the affected router.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the router's web management interface with the PINPBCRadio parameter set to '1', the PINMode parameter left empty, and the PIN parameter containing the injected command payload. The injected command will be executed on the router with root privileges.