TOTOLINK N600R NULL Pointer Dereference Vulnerability Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in TOTOLINK N600R firmware version 4.3.0cu.7866_B2022506. This vulnerability allows attackers to cause a denial-of-service condition by exploiting the cstecgi.cgi binary. The issue arises when the program's main function attempts to read the CONTENT_LENGTH environment variable. If the variable is not set, a null pointer is returned, which is then improperly handled by being passed to the strtol function. This mismanagement leads to the null pointer being dereferenced, causing a crash and denial-of-service.

Impact

Exploitation of this vulnerability causes a crash of the cstecgi.cgi process, leading to a denial-of-service condition on the device.

Reproduction

The vulnerability can be reproduced by using a script that simulates a request to the cstecgi.cgi binary without the CONTENT_LENGTH environment variable set. This can be done by using QEMU to emulate a MIPS environment, which is the architecture the TOTOLINK N600R runs on. After setting a breakpoint in GDB before the strtol call, the NULL pointer dereference can be observed, confirming the vulnerability.