TOTOLink LR350 Stack Overflow Vulnerability Leading to Denial-of-Service

A stack overflow vulnerability has been identified in the TOTOLink LR350 router, specifically in version 9.3.5u.6369_B20220309. The issue arises in the sub_426EF8 function, where the http_host parameter is processed without proper length validation. This flaw allows attackers to send crafted requests that exceed the buffer size, causing a buffer overflow that overwrites adjacent stack data or the return address. The exploitation of this vulnerability leads to a denial-of-service condition, causing the router to crash and fail to provide services correctly.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and causing a persistent denial-of-service condition.

Reproduction

To reproduce this vulnerability, the router must be running the affected firmware version. Once the firmware is booted (either on a real machine or using QEMU), the vulnerability can be exploited by sending a POST request to the /cgi-bin/cstecgi.cgi endpoint. The request must include an excessively long http_host parameter, crafted to exceed 255 bytes and overwrite the buffer, causing the router to crash.