Totolink A8000RU Command Injection Vulnerability in CGI Handler

A command injection vulnerability has been identified in the Totolink A8000RU router, specifically in the version 7.1cu.643_b20200521. The issue resides within the CGI handler, in a function called setPptpServerCfg, located in the file /cgi-bin/cstecgi.cgi. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter in a crafted HTTP request. The injected commands are executed with root privileges on the device, potentially leading to a full compromise of the router and the network it is connected to.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the router with root privileges, leading to a complete compromise of the device. This could also result in further exploitation of the connected network.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/cstecgi.cgi endpoint with the 'enable' parameter set to a command, such as 'ls>./setPptpServerCfg.txt'. The router will execute the command and create a text file with the command's output, confirming the injection was successful.