TOTOLink CA750-PoE OS Command Injection Vulnerability

A command injection vulnerability has been identified in the TOTOLink CA750-PoE router running firmware version 6.2c.510. The issue arises in the Setting Handler component, specifically within the NTPSyncWithHost function of the cstecgi.cgi file. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the host_time argument. The exploit has been publicly disclosed and is available for use.

Impact

Exploitation of this vulnerability leads to unauthorized execution of operating system commands on the affected device, potentially allowing for further exploitation or manipulation of the device's functions.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/cstecgi.cgi endpoint. Include a crafted payload in the host_time parameter, such as a command to be executed by the system, wrapped in a specific format. The request should be made with a valid session cookie to authenticate the request.