ToToLink Routers Stack-Based Buffer Overflow Vulnerability in CGI Binaries

A local stack-based buffer overflow vulnerability has been identified in the ToToLink A720R, LR1200GB, and NR1800X router models. This vulnerability arises in the 'infostat.cgi' and 'cstecgi.cgi' binaries, which improperly parse the '/proc/net/arp' file using 'sscanf()' with unvalidated format specifiers. The flawed parsing allows for user-controlled data to be written into fixed-size stack buffers, creating a risk of memory corruption. An attacker with the ability to manipulate the ARP file content can exploit this vulnerability, potentially leading to a denial-of-service condition or arbitrary code execution.

Impact

Exploitation of this vulnerability causes memory corruption, which can result in a denial-of-service condition or potentially allow for arbitrary code execution on the device.

Reproduction

The vulnerability can be reproduced by creating a malicious ARP entry that exceeds the buffer size limitations. This can be done by crafting an entry with a long hardware address and then using 'infostat.cgi' or 'cstecgi.cgi' to trigger the buffer overflow. The proof-of-concept involves linking the crafted ARP entry into the '/proc/net/arp' file, which the vulnerable CGI scripts will read and parse, leading to the buffer overflow.