ToToLink LR1200GB and NR1800X Routers Stack Buffer Overflow Vulnerability in cstecgi.cgi Allowing Arbitrary Code Execution

A stack buffer overflow vulnerability has been identified in ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) router firmware. The issue resides within the cstecgi.cgi binary, specifically in the setDefResponse function. The vulnerability arises because the binary uses strcpy() to copy the 'IpAddress' parameter from a web request into a fixed-size stack buffer, without proper length validation. This flaw allows for memory corruption or arbitrary code execution, and can be exploited remotely without authentication.

Impact

Exploitation of this vulnerability leads to a stack buffer overflow, causing memory corruption and potentially allowing for arbitrary code execution on the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/cstecgi.cgi' endpoint. The request must include a JSON payload with the 'IpAddress' parameter. The value of this parameter should be crafted to exceed the buffer size, thereby causing a stack buffer overflow.