TOTOLink LR350 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink LR350 router, specifically in version 9.3.5u.6369_B20220309. The issue arises in the sub_42396C function, where the ssid parameter is processed by the urldecode function without proper input length validation. This flaw allows attackers to send crafted requests that cause a buffer overflow, overwriting adjacent stack data or the return address, and ultimately leading to a denial-of-service condition by causing the router to crash and fail to provide services correctly.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and functionality.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include a crafted ssid parameter that is excessively long, exceeding the buffer size of 128 bytes. This can be done using a tool like QEMU to emulate the router's firmware or by testing on a real device.