TOTOLink CA750-PoE OS Command Injection Vulnerability Allowing Remote Command Execution

A command injection vulnerability has been identified in the TOTOLink CA750-PoE router running firmware version 6.2c.510. This vulnerability resides in the Setting Handler component, specifically within the setPasswordCfg function of the cgi-bin/cstecgi.cgi file. The issue arises because the admuser and admpass arguments are not properly validated, allowing remote attackers to inject and execute arbitrary operating system commands. The vulnerability has been publicly disclosed and could be exploited by crafting a specific request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device's operating system, potentially leading to a full compromise of the device.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/cstecgi.cgi endpoint with the admuser and admpass parameters. The admpass parameter can be crafted to include a command, such as starting a telnet session on a specific port. Once the request is processed, the injected command will be executed on the router, providing a shell access through the established telnet connection.