TOTOLINK T10 Stack-Based Buffer Overflow Vulnerability in cstecgi.cgi

A stack-based buffer overflow vulnerability has been identified in the TOTOLINK T10 router running firmware version 4.1.8cu.5083_B20200521. The issue arises in the cstecgi.cgi component, where user-controlled input from HTTP login requests is improperly handled by the sprintf function, allowing for excessive data to overflow a fixed-size stack buffer. This vulnerability can be exploited remotely without authentication, leading to memory corruption and potential denial-of-service conditions.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can corrupt memory and disrupt normal device operation, potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending an HTTP login request (action=login) with manipulated input in the loginAuthUrl parameter. This input should be crafted to exceed the buffer size of 4096 bytes, taking advantage of the lack of bounds checking in the sprintf function. The vulnerable code path is not accessible in emulated environments due to hardware-specific initialization requirements, but can be triggered on real devices during standard web management operations.