Totolink A8000R Authentication Bypass Vulnerability in Language Configuration CGI Script

An authentication bypass vulnerability has been identified in the Totolink A8000R router, specifically in the firmware version 5.9c.681_B20180413. The issue arises in the CGI script '/cgi-bin/cstecgi.cgi', within the 'setLanguageCfg' function. The vulnerability allows remote attackers to manipulate the 'langType' parameter, bypassing authentication and accessing restricted functions. This exploitation is possible without any login credentials, as the script fails to validate session cookies or authentication tokens before processing requests.

Impact

Exploitation of this vulnerability allows unauthenticated remote attackers to modify device settings, including WiFi configurations, administrative passwords, and firewall rules. Additionally, the vulnerability could be combined with other command injection flaws in the router to execute arbitrary commands with elevated privileges.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' without including any authentication cookies or tokens. The request should contain a JSON payload that includes the 'topicurl' parameter set to 'setting/setLanguageCfg' and the 'langType' parameter with the desired value. The server will respond with a success message, indicating that the authentication bypass was successful.

Remediation

It is recommended to implement restrictive firewall rules to block unauthorized access to the vulnerable CGI script.