TOTOLink LR350 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink LR350 router, specifically in version 9.3.5u.6369_B20220309. The issue arises in the sub_4232EC function, where the wifiOff parameter can be manipulated to bypass input length restrictions. This allows attackers to send excessively long SSID values, causing a buffer overflow that overwrites adjacent stack data or the return address, ultimately leading to a denial-of-service condition by crashing the router and disrupting its service.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and causing a persistent denial-of-service condition.

Reproduction

To reproduce this vulnerability, upload the affected firmware onto a device or emulator, such as QEMU. Then, send a POST request to the '/cgi-bin/cstecgi.cgi' endpoint. The request must include a 'wifiOff' parameter set to '0' and an excessively long 'ssid' parameter. This crafted request will trigger the stack overflow by overwriting critical stack data, causing the device to crash and fail to provide services correctly.