Totolink A8000RU Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the Totolink A8000RU router, specifically in version 7.1cu.643_b20200521. The issue arises within the web management interface, in the file '/cgi-bin/cstecgi.cgi', particularly in the 'UploadOpenVpnCert' function. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'FileName' parameter. The injected commands are executed through the 'execv()' function, after being processed by 'snprintf' and passed to a custom system execution function.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'FileName' parameter set to a crafted command, such as '`ls>./UploadOpenVpnCert.txt`'. This will execute the command on the router and create a text file with the command's output.