TOTOLink LR350 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink LR350 router, specifically in version 9.3.5u.6369_B20220309. The issue arises in the sub_426EF8 function, where the password parameter is processed by the urldecode function without proper input length validation. This flaw allows attackers to send crafted requests that exceed the buffer size, causing a buffer overflow that overwrites adjacent stack data or the return address. The exploitation of this vulnerability leads to a denial-of-service condition, causing the router to crash and fail to provide services correctly.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting normal service and causing a persistent denial-of-service condition.

Reproduction

To reproduce this vulnerability, upload the firmware version 9.3.5u.6369_B20220309 onto a TOTOLink LR350 router. Then, send a POST request to the '/cgi-bin/cstecgi.cgi' endpoint. The request must include a 'password' parameter with a value that exceeds 63 bytes, as this will trigger the stack overflow by overwriting the fixed-size buffer used in the urldecode function. Once the router processes this request, it will crash, demonstrating the denial-of-service impact of the vulnerability.