TOTOLINK A7000R Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLINK A7000R router, specifically in version 9.1.0u.6115_B20201022. The issue arises in the 'sub_4222E0' function, where the 'ssid5g' parameter is processed without proper length validation. This flaw allows attackers to send crafted requests that cause a buffer overflow, overwriting adjacent stack data or the return address, and ultimately leading to a denial-of-service condition by causing the device to crash and become unresponsive.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and causing a persistent failure to respond correctly.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/cgi-bin/cstecgi.cgi' with an excessively long 'ssid5g' parameter. The 'wifiOff5g' parameter must be set to '0' to trigger the buffer overflow. This can be done using a tool like QEMU to emulate the router's firmware or by testing on a real device.