TOTOLink LR350 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink LR350 router, specifically in version 9.3.5u.6369_B20220309. The issue arises in the sub_425400 function, where the ssid parameter is processed by the urldecode function without proper input length validation. This flaw allows attackers to send crafted requests that cause a buffer overflow, overwriting adjacent stack data or the return address, and ultimately leading to a denial-of-service condition by causing the device to crash and fail to provide services correctly.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and causing a persistent failure to function correctly.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include a crafted ssid parameter that is excessively long, exceeding the buffer size of 128 bytes. This can be done using a tool like QEMU to emulate the router's firmware or by testing on a real device.