Totolink A8000RU Command Injection Vulnerability in Web Management Interface

A command injection vulnerability has been identified in the Totolink A8000RU router, specifically in version 7.1cu.643_b20200521. The issue resides within the Web Management Interface, in the function setParentalRules of the file cstecgi.cgi. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the enable parameter in a crafted request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/cstecgi.cgi endpoint. Include the topicurl parameter set to 'setParentalRules' and the enable parameter with a payload that includes the desired command, such as 'ls' redirected to a file. After the request is processed, the command will be executed, and the output can be verified by checking the contents of the specified file.