TOTOLink A7000R Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink A7000R router, specifically in version V9.1.0u.6115_B20201022. The issue arises in the addEffect parameter of the urldecode function, where the lack of input length validation allows for excessive data to be processed. This vulnerability can be exploited by sending a crafted POST request, causing the device to crash and disrupt normal service operations.

Impact

Exploitation of this vulnerability causes the router to crash, leading to a persistent denial-of-service condition where the device cannot provide services correctly.

Reproduction

To reproduce this vulnerability, upload the affected firmware onto a device or use an emulator like QEMU. Then, send a POST request to the '/cgi-bin/cstecgi.cgi' endpoint. The request must include a 'ssid' parameter with a payload that exceeds the buffer limit, along with the 'addEffect' parameter set to '0'. This will trigger the stack overflow by overwriting adjacent stack data or the return address.