TOTOLink A7000R Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink A7000R router, specifically in version 9.1.0u.6115_B20201022. The issue arises in the sub_421CF0 function, where the ssid5g parameter is processed without proper length validation. This flaw allows attackers to send crafted requests that trigger a buffer overflow, overwriting adjacent stack data or the return address, and causing a denial-of-service condition by crashing the router and disrupting its normal service.

Impact

Exploitation of this vulnerability leads to a persistent denial-of-service condition, causing the router to crash and fail to provide services correctly.

Reproduction

To reproduce this vulnerability, upload the affected firmware onto a device or use an emulator like QEMU. Then, send a POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include a payload with an excessively long ssid5g parameter, which will trigger the stack overflow by overwriting critical stack data or the return address. As a result, the router will crash and become unresponsive.