Totolink A3300R Command Injection Vulnerability

A command injection vulnerability has been identified in the Totolink A3300R router, specifically in version 17.0.0cu.557_b20221024. The issue arises in the 'setUPnPCfg' function within the '/cgi-bin/cstecgi.cgi' file. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter in a crafted request. The exploitation of this vulnerability is made easier by the fact that the router's web server, 'shttpd', does not properly sanitize user input before it is executed as a command.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'topicurl' parameter set to 'setUPnPCfg' and the 'enable' parameter containing the command to be executed. The router will execute the command as if it were a legitimate request.