system.so-setNoticeCfg-NoticeUrl
[CVE-ID]
[PRODUCT]
TOTOLINK
[Vendor of Product]
[VERSION]
A800R V4.1.2cu.5137_B20200730
[Firmware]
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/166/ids/36.html
[Vulnerability Type]
RCE
[Description]
The TOTOLINK A800R V4.1.2cu.5137_B20200730 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.
The NoticeUrl is user-controllable. The GetDomainName function extracts the domain part from the URL and assigns it to v36. Subsequently, it enters the validity_check function to verify whether special characters are present. If special characters are included, it directly returns.
This function can be bypassed using newline characters, and \\n can be used in JSON data to achieve this.
If no special characters are included, the process continues and triggers the system function.
