TOTOLINK A950RG Stack-Based Buffer Overflow Vulnerability in QoS Rule Management

A stack-based buffer overflow vulnerability exists in the TOTOLINK A950RG router, specifically in firmware version V4.1.2cu.5204_B20210112. The vulnerability arises in the `setIpQosRules` interface within the `/lib/cste_modules/firewall.so` file, where the `comment` parameter is inadequately validated for length. This flaw allows remote attackers to send overly long `comment` values, potentially leading to arbitrary code execution or causing the device to crash.

Impact

Exploitation of this vulnerability can result in a process crash, causing a denial-of-service condition, or it can allow control-flow hijacking that leads to arbitrary code execution, depending on the memory layout and exploitation conditions.

Reproduction

The vulnerability can be reproduced by sending a POST request to the router's management interface with a crafted payload that includes an excessively long string in the `comment` parameter. This payload can be sent using a script that automates the process, such as one written in Python that uses the `requests` library. The `topicurl` parameter should be set to `setting/setIpQosRules`, and the `ipStart` and `ipEnd` parameters can be set to any valid IP addresses within the router's network range. After the payload is sent, the router's configuration handler may crash or become unresponsive, indicating that the buffer overflow has been successfully triggered.