TOTOLink LR350 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink LR350 router, specifically in version 9.3.5u.6369_B20220309. The issue arises in the sub_422880 function, where the ssid parameter is processed without proper length validation. When the addEffect parameter is set to '0', the ssid is passed to the urldecode function, which decodes the input and writes it to a fixed-size buffer. This lack of input length restriction allows for excessive data to overflow the buffer, potentially overwriting adjacent stack data or the return address, and causing a denial-of-service condition by crashing the router and disrupting its service.

Impact

Exploitation of this vulnerability leads to a persistent denial-of-service condition, causing the router to crash and fail to provide services correctly.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the '/cgi-bin/cstecgi.cgi' endpoint. The request must include a very long ssid parameter, exceeding the buffer size, and set the addEffect parameter to '0'. This can be done using a tool like QEMU to emulate the router's firmware or by testing on a real device.