TOTOlink A950RG Buffer Overflow Vulnerability in Notice Configuration Interface

A buffer overflow vulnerability has been identified in the TOTOlink A950RG router, specifically in firmware version V4.1.2cu.5204_B20210112. The issue stems from inadequate input validation of the NoticeUrl parameter within the setNoticeCfg interface, located in /lib/cste_modules/system.so. This vulnerability could be exploited by a remote attacker to execute arbitrary code or cause a denial-of-service condition on the device.

Impact

Exploitation of this vulnerability can lead to arbitrary code execution or a denial-of-service condition on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the router's CGI interface with a crafted NoticeUrl parameter. The payload should include an excessively long URL string, which will trigger the buffer overflow by overwriting adjacent memory regions. This can be done using a script that automates the process, such as one written in Python that uses the requests library to send the malicious payload.