CVE-2022-28494

Vulnerability

A command injection vulnerability exists in the setUpgradeFW function of TOTOLink outdoor CPE CP900 firmware version V6.3c.566_B20171026 [1]. The filename parameter within a crafted HTTP POST request is not sanitized before being passed to a system call, enabling arbitrary command execution [1]. The vulnerable endpoint is /cgi-bin/cstecgi.cgi?action=upload&setting/setUpgradeFW [1].

Exploitation

An attacker can exploit this vulnerability by sending an HTTP POST request to the aforementioned CGI endpoint [1]. The proof-of-concept shows that the filename field in the multipart form-data can contain command injection payloads, such as `1.bin;telnetd -l /bin/sh -p 8888;touch [1]. No authentication or prior access is required, as the CGI interface is exposed to the local network or potentially the internet if the device is exposed [1]. The injection occurs within the setUpgradeFW` function, which processes the filename input without proper filtering [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the web server (typically root) [1]. This can lead to complete compromise of the device, including persistent backdoor installation (as demonstrated by starting a telnet shell), data exfiltration, or use of the device in further attacks [1]. The impact on confidentiality, integrity, and availability is total.

Mitigation

As of the publication date (2023-03-23), the vendor has not released a patched firmware version [1]. Users are advised to restrict network access to the device's management interfaces (especially the CGI endpoint) via firewall rules and VLAN segmentation, or consider replacing the device if it is no longer supported [1]. No official fix is available in the references.