CVE-2018-20841

An unauthenticated attacker sends a crafted GET request to `protocol.csp?function=set&fname=security&opt=mac_table` on port 81, injecting shell metacharacters (e.g., backticks) into the `mac` parameter. The `ioos` CGI server does not check the session before processing this callback (the function flag is 0x01, indicating no authentication required). The user-supplied `mac` value is concatenated into a shell command via `sprintf` and executed by `do_cmd`, giving the attacker arbitrary command execution as root [ref_id=1].

The vulnerability resides in the `mac_table` CGI callback within the `ioos` binary, HooToo's custom HTTP server listening on port 81. The `mac` GET parameter is passed unsanitized into a `sprintf` call that builds a command string, which is then executed by `do_cmd`. The advisory identifies four OS command injections in `mac_table` via the `mac` parameter [ref_id=1].

No patch is included in the bundle. The advisory does not describe a vendor fix; it only documents the vulnerability discovery. The researcher notes that the root cause is the lack of input sanitization on the `mac` parameter before it is passed to `sprintf` and then to `do_cmd`. To remediate, the vendor would need to validate or escape shell metacharacters in user-supplied parameters, or remove the unauthenticated access to the `mac_table` function [ref_id=1].

Send a GET request to the router's management interface with shell metacharacters in the `mac` parameter. For example, to enable telnet: `curl -i -s -k -X $'GET' $'http://10.10.10.254:81/protocol.csp?function=set&fname=security&opt=mac_table&mac=%60/etc/init.d/teld.sh%20start%60'` [ref_id=1].