Totolink N300RH External Control of File Name Vulnerability Allowing Arbitrary File Deletion

A vulnerability exists in the Totolink N300RH wireless router, specifically in version 6.1c.1353_B20190305. The issue arises in the web management interface within the 'setUploadSetting' function of the 'cstecgi.cgi' file. This vulnerability allows for external control of file names, enabling remote attackers to manipulate the 'FileName' parameter and execute arbitrary file deletions on the device's filesystem with root privileges. The vulnerability is publicly exploitable, with available proof-of-concept exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the device, with root privileges. This could lead to bricking the device, causing a denial-of-service condition, or potentially compromising the entire system.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with 'topicurl' set to 'setUploadSetting'. Include an arbitrary file path in the 'FileName' parameter, bypassing any intended directory restrictions. The 'ContentLength' parameter should also be specified. Upon deletion, the response will confirm the action.

Remediation

Users are advised to validate and sanitize file paths, ensuring that only expected patterns are accepted and rejecting path traversal sequences. Implement authentication and authorization for sensitive endpoints, and run the web server with minimal privileges to limit the impact of such vulnerabilities.