Totolink A3300R Command Injection Vulnerability

A command injection vulnerability has been identified in the Totolink A3300R router, specifically in version 17.0.0cu.557_b20221024. The issue arises in the web service 'shttpd', within the 'setSyslogCfg' function of the '/cgi-bin/cstecgi.cgi' file. This vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands on the device by sending a crafted HTTP request. The root cause is the improper handling of user input, which enables the injection of malicious commands that are executed via the 'execv()' system call.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, potentially leading to a complete compromise of the router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'rtLogServer' parameter set to a command, such as 'wget', targeting a server under the attacker's control. The router will execute the command, demonstrating the command injection flaw.