ToToLink A720R Router Stack Buffer Overflow Vulnerability in sysconf Binary

A stack buffer overflow vulnerability has been identified in the ToToLink A720R Router firmware version 4.1.5cu.614_B20230630. The issue resides within the sysconf binary, specifically in the sub_401EE0 function. The vulnerability arises because the binary reads the /proc/stat file using fgets() into a local buffer, and then parses the line with sscanf() into a single-byte variable using the %s format specifier. This allows maliciously crafted /proc/stat content to overwrite adjacent stack memory, potentially enabling an attacker with filesystem write privileges to execute arbitrary code on the device.

Impact

Exploitation of this vulnerability can lead to a stack buffer overflow, allowing for arbitrary code execution on the device.

Reproduction

The vulnerability can be reproduced by creating a symbolic link to a maliciously crafted /proc/stat file that contains data designed to overflow the buffer in the sysconf binary. Once the link is in place, the sysconf binary can be executed, which will read the crafted /proc/stat content and trigger the buffer overflow.