TOTOLINK A950RG Buffer Overflow Vulnerability in IPv6 Configuration Interface

A buffer overflow vulnerability has been identified in the TOTOLINK A950RG router, specifically in the firmware version V4.1.2cu.5204_B20210112. The vulnerability arises in the `setRadvdCfg` function of the `/lib/cste_modules/ipv6.so` module, where the length of the user-controlled `radvdinterfacename` parameter is not properly validated. This oversight allows remote attackers to exploit the vulnerability by sending crafted HTTP requests that trigger a stack buffer overflow. The exploitation of this vulnerability may lead to arbitrary code execution or cause the device to crash.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, which can corrupt adjacent memory and potentially allow for arbitrary code execution. In some cases, it may simply cause the device to crash.

Reproduction

The vulnerability can be reproduced by sending a POST request to the router's management interface with an oversized `radvdinterfacename` parameter. This parameter is processed by the `setRadvdCfg` function in the `/lib/cste_modules/ipv6.so` module`, which copies the parameter value into a fixed-size stack buffer without any length validation. The overflow can overwrite stack memory, including saved registers and return addresses, leading to process instability or a crash.