TOTOLINK A950RG Router Buffer Overflow Vulnerability in global.so Binary Allowing Arbitrary Code Execution

A buffer overflow vulnerability has been identified in the TOTOLINK A950RG Router, specifically in the firmware version V5.9c.4592_B20191022_ALL. The issue resides within the 'global.so' binary, in the 'getSaveConfig' function. This function retrieves the 'http_host' parameter from user input using 'websGetVar' and copies it into a fixed-size stack buffer without proper length validation, using 'strcpy()'. As a result, an unauthenticated remote attacker could exploit this vulnerability by sending a crafted HTTP request to the router's web interface, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can be leveraged to execute arbitrary code on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/global.cgi' endpoint. The 'http_host' parameter should be included in the request body with a value that exceeds the buffer size of the 'v13' variable in the 'getSaveConfig' function. This crafted input will overflow the stack buffer, creating the conditions for exploitation.