TOTOLink CA750-PoE OS Command Injection Vulnerability

An OS command injection vulnerability has been identified in the TOTOLink CA750-PoE router running firmware version 6.2c.510. The issue arises in the Setting Handler component, specifically within the 'setUnloadUserData' function of the '/cgi-bin/cstecgi.cgi' file. The vulnerability can be exploited remotely by manipulating the 'plugin_version' argument, allowing attackers to execute arbitrary OS commands on the device.

Impact

Exploitation of this vulnerability leads to unauthorized execution of OS commands on the affected router, potentially allowing for further system compromise or manipulation.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with a crafted 'plugin_version' parameter. The router will execute the command included in the 'plugin_version' field. For example, setting 'plugin_version' to 'telnetd -l /bin/sh -p 8892' will launch a shell accessible via telnet on port 8892.