TOTOLINK A3300R Buffer Overflow Vulnerability in DMZ Configuration Function

A stack-based buffer overflow vulnerability has been identified in the TOTOLINK A3300R router, specifically in the firmware version 17.0.0cu.557_B20221024. The issue arises in the 'setDmzCfg' function within the file '/cgi-bin/cstecgi.cgi'. The vulnerability is triggered by the 'ip' POST parameter, which is processed without proper input validation or length checks. This oversight allows for excessive data to be written to the stack, potentially leading to arbitrary code execution. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a stack overflow, which can lead to arbitrary code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/cstecgi.cgi' endpoint with the 'topicurl' parameter set to 'setDmzCfg', the 'enable' parameter set to '1', and the 'ip' parameter containing a payload of arbitrary length. This will trigger the buffer overflow by overwriting the 'host' configuration value. After the payload is stored, send another POST request with the 'topicurl' parameter set to 'getDmzCfg' to retrieve the 'host' value, which will now include the overflowed data, demonstrating the vulnerability.