| Titre | Totolink N300RHv4 V6.1c.1353_B20190305 OS Command Injection |
|---|
| Description | A pre-authentication OS command injection vulnerability exists in the TOTOLINK N300RH wireless router (firmware version V6.1c.1353_B20190305) within the web management interface exposed via /cgi-bin/cstecgi.cgi.
The vulnerability resides in the setPasswordCfg functionality, which processes user-supplied input from HTTP requests. Specifically, the "admpass" parameter is not properly sanitized or validated before being incorporated into a system-level command. The application directly concatenates this parameter into a shell command and executes it using an underlying system call (e.g., CsteSystem or equivalent function within system.so).
Due to improper neutralization of special characters, an unauthenticated remote attacker can inject arbitrary shell commands by embedding command separators such as ';', '|', '&', or backticks within the "admpass" parameter. This allows execution of arbitrary operating system commands in the context of the device.
The vulnerable endpoint can be accessed without authentication, and no user interaction is required. As a result, exploitation can be performed remotely over the network by sending a crafted HTTP POST request.
Proof of Concept (PoC):
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: TARGET_IP
Content-Type: application/x-www-form-urlencoded
topicurl=setPasswordCfg&admpass=admin;id
Alternatively:
topicurl=setPasswordCfg&admpass=admin;cat /etc/passwd
Successful exploitation results in execution of injected commands with root privileges, as the web service runs with elevated permissions on the device's embedded Linux system.
Verification of successful exploitation can be achieved by observing command output in the HTTP response (if returned), or by identifying side effects such as system behavior changes, file modifications, or outbound network connections initiated by the injected command.
Impact:
- Remote unauthenticated command execution
- Full compromise of the affected device
- Unauthorized configuration changes
- Persistence via backdoor installation
- Potential use in botnet propagation or lateral movement within internal networks
This vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). |
|---|
| La source | ⚠️ https://github.com/A1ester/TOTOLINK-N300RH-Command-Injection |
|---|
| Utilisateur | a1ester (UID 97680) |
|---|
| Soumission | 28/04/2026 17:17 (il y a 1 mois) |
|---|
| Modérer | 26/05/2026 08:38 (28 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 365607 [Totolink N300RH 6.1c.1353_B20190305 Web Management Interface /cgi-bin/cstecgi.cgi setPasswordCfg admpass élévation de privilèges] |
|---|
| Points | 20 |
|---|