system.so-setNoticeCfg-NoticeUrl
[CVE-ID]
[PRODUCT]
TOTOLINK
[Vendor of Product]
[VERSION]
A810R V4.1.2cu.5182_B20201026
[Firmware]
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/169/ids/36.html
[Vulnerability Type]
RCE
[Description]
The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.
The NoticeUrl is user-controllable. The GetDomainName function extracts the domain part from the URL and assigns it to v36. Subsequently, it enters the validity_check function to verify whether special characters are present. If special characters are included, it directly returns.
This function can be bypassed using newline characters, and \\n can be used in JSON data to achieve this.
If no special characters are included, the process continues and triggers the system function.
