There are three cmd injection vulnerabilities in TOTOLINK routers.
Affected products: including but not limited to TOTOLINK A950RG and TOTOLINK T10.
Affected firmwares: A950RG V5.9c.4216_B20190710 and T10 V5.9c.4096_B20190509
An attacker can execute arbitrary Linux OS commands via "setNTPCfg", "NTPSyncWithHost" and "setDiagnosisCfg" POST requests after login.
/bin/cste_sub: load_modules() function loads all libraries located in directory /lib/cste_modules:
The handlers of "setNTPCfg", "NTPSyncWithHost" and "setDiagnosisCfg" are located in system.so. The module_init() function in system.so registers module handlers:
In these handlers, there is no filter to avoid insecure characters, functions directly concatenate the imput strings to system commands.
NTPSyncWithHost:
setDiagnosisCfg:
