TOZED ZLT W51 Heap Inspection Vulnerability Leading to Memory Disclosure and Denial-of-Service

A critical heap inspection vulnerability has been identified in TOZED ZLT W51 routers running firmware versions through 1.4.2. This vulnerability resides in a proprietary service accessed via TCP port 7777. The issue stems from improper management of memory, which allows fragments of data from previous connections to leak to new clients. This cross-connection memory disclosure can be exploited by sending specially crafted commands that manipulate the protocol state, leading to additional memory exposure and potential service disruptions.

Impact

Exploitation of this vulnerability causes sensitive data leakage between clients, including credentials and tokens, and can disrupt service availability by causing the router to hang, requiring a manual restart.

Reproduction

The vulnerability can be reproduced by connecting to the router's service on port 7777 and sending specific SOCKS protocol commands that include version bytes and padding. This process can be automated to continuously leak data from the server's memory, taking advantage of the improper memory clearance when clients disconnect.

Remediation

Users cannot disable the vulnerable service through the router's interface. However, the vulnerability can be mitigated by firewalling TCP port 7777.