TOTOLINK A3300R Stack-Based Buffer Overflow Vulnerability in setScheduleCfg Function

A stack-based buffer overflow vulnerability has been identified in the TOTOLINK A3300R router, specifically in the firmware version 17.0.0cu.557_B20221024. The issue arises in the POST parameter handler within the file /cgi-bin/cstecgi.cgi. The vulnerability is triggered by the recHour parameter in the setScheduleCfg function, which is written to the configuration without proper length or content validation. This lack of input validation allows for an excessively long string to be stored, leading to a stack overflow condition. The vulnerability can be exploited remotely, and a proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to arbitrary code execution or a denial-of-service condition by crashing the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/cstecgi.cgi endpoint with a crafted recHour parameter that exceeds the buffer length. This can be done using a script that automates the process, such as one written in Python that uses the requests library to send the payload.