Totolink A8000RU Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the Totolink A8000RU router, specifically in version 7.1cu.643_b20200521. The issue resides within the Web Management Interface, in the function setOpenVpnCertGenerationCfg of the file /cgi-bin/cstecgi.cgi. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the servername parameter in a crafted request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to /cgi-bin/cstecgi.cgi with the topicurl parameter set to 'setOpenVpnCertGenerationCfg' and the servername parameter crafted to include the desired command, such as 'ls>./setOpenVpnCertGenerationCfg.txt'. The router will execute the command and create a text file with the command's output.