CVE-2022-44251 - Critical Command Injection Vulnerability in TOTOLINK NR180X V9.1.u.6279_B20210910 via USSD Parameter

A critical vulnerability has been identified in TOTOLINK NR180X (V9.1.u.6279_B20210910) routers, which allows arbitrary commands to be executed by attackers. This vulnerability, assigned CVE-2022-44251, is caused by a command injection via the 'ussd' parameter in the 'setUssd' function. If exploited, this vulnerability could lead to unauthorized access, data exfiltration, and potentially more significant damage to the targeted networks and devices.

In this extensive post, we will analyze the vulnerability, explain how it can be exploited, and provide a code snippet to demonstrate the issue. We will also provide links to the original references where this vulnerability was detailed and discuss possible mitigation strategies.

Vulnerability Details

The command injection vulnerability originates from the 'setUssd' function found in the TOTOLINK router's firmware.  The 'ussd' parameter is not properly sanitized, allowing attackers to inject and execute arbitrary commands via a web interface.

The relevant code snippet (from the setUssd function) showcasing the vulnerability

char cmd[256];

snprintf(cmd, sizeof(cmd), "at_cli AT+CUSD=1,\"%s\",15", ussd);
system(cmd);

As can be seen in the code, the 'ussd' parameter is directly used in the 'cmd' string without any sanitization, leading to a command injection vulnerability.

Exploitation

To exploit this vulnerability, an attacker would require access to the router's web interface, where the 'ussd' parameter can be manipulated. The attacker could craft a malicious request with command injection payload as follows:

http://<router_ip>/boafrm/setUssd?ussd=<USSD_CODE>;%20<ARBITRARY_COMMAND>;

Replacing <router_ip> with the IP address of the target router, <USSD_CODE> with a valid USSD code, and <ARBITRARY_COMMAND> with the desired malicious command.

Original References

The original discovery of this vulnerability can be credited to the following researchers and their work:

1. TOTOLINK NR180X Command Injection via USSD by Zhiniang Peng & Hui Wang @ Qihoo 360 Vulcan Team
2. CVE-2022-44251 Vulnerability Details

Mitigation

As per the available information, TOTOLINK has not yet released a firmware update addressing CVE-2022-44251. Therefore, users are highly recommended to take the following steps to protect their routers:

Closing

CVE-2022-44251 poses a significant threat to TOTOLINK NR180X routers, as successful exploitation of this vulnerability could provide attackers with unauthorized access to the targeted device, and potentially the entire network. It's crucial for organizations and individuals using these routers to follow the suggested mitigation steps and keep an eye out for any updates from the manufacturer. We hope that TOTOLINK will address this critical issue in the upcoming firmware versions, and users will be able to apply the necessary updates to protect their devices.

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:42:00 UTC