Totolink A3300R Command Injection Vulnerability

A command injection vulnerability has been identified in the Totolink A3300R router, specifically in version 17.0.0cu.557_b20221024. The issue arises in the web service 'shttpd', within the function 'setIptvCfg' of the file '/cgi-bin/cstecgi.cgi'. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'vlanPriLan3' parameter in a crafted request. This exploitation could lead to a complete compromise of the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, potentially leading to a full compromise of the router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'vlanPriLan3' parameter set to a command payload, such as 'wget' to download a file from a remote server. The router will execute the command, demonstrating the command injection vulnerability.