TOTOLINK X6000R OS Command Injection Vulnerability

A critical OS command injection vulnerability has been identified in the TOTOLINK X6000R router, specifically in versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. The issue arises in the 'setLanCfg' function of the '/usr/sbin/shttpd' file, where the 'Hostname' parameter is not properly sanitized before being passed to a shell command. This flaw allows an authenticated attacker to manipulate the hostname input to execute arbitrary commands on the operating system.

Impact

Exploitation of this vulnerability allows for OS command injection, where an authenticated attacker can execute arbitrary commands with the privileges of the web server process.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the 'setLanCfg' function with a crafted 'Hostname' parameter that includes unsanitized input, such as single quotes, double quotes, output redirection characters, or comment characters. This manipulation can escape the quoted context and redirect output to arbitrary files, potentially leading to persistent remote code execution by injecting a cron job that executes the injected command.