ToToLink LR1200GB and NR1800X Routers Stack Buffer Overflow Vulnerability in cstecgi.cgi Allowing Potential Code Execution

A stack buffer overflow vulnerability has been identified in ToToLink LR1200GB and NR1800X routers, specifically in the cstecgi.cgi binary. The issue arises in the sub_42F32C function, where the web interface processes the 'lang' parameter. The vulnerability is created by using sprintf() to write Help URL strings into fixed-size stack buffers without adequate length validation. This flaw allows for maliciously crafted input to overflow the buffers, potentially leading to arbitrary code execution or memory corruption. Notably, the vulnerability can be exploited remotely through the device's web interface without authentication.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by sending a POST request to the device's web interface with the 'lang' parameter containing a payload designed to overflow the buffer. The 'langAutoFlag' parameter can also be included, but it is not necessary for the exploitation.