TOTOLINK A950RG Buffer Overflow Vulnerability in setParentalRules Interface Allowing Denial-of-Service and Potential Arbitrary Code Execution

A buffer overflow vulnerability has been identified in the TOTOLINK A950RG router, specifically in the firmware version V4.1.2cu.5204_B20210112. The issue arises in the setParentalRules interface, where the urlKeyword parameter is inadequately validated. This flaw allows for the concatenation of multiple user-controlled fields into a fixed-size stack buffer without proper boundary checks. As a result, a remote attacker could exploit this vulnerability to cause a denial-of-service condition or potentially execute arbitrary code on the device.

Impact

Exploitation of this vulnerability leads to a stack buffer overflow, causing corruption of adjacent stack variables, including saved registers. This can overwrite the return address, potentially allowing for arbitrary code execution. The vulnerability also causes a process crash, resulting in a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to the router's CGI interface with a payload that includes a crafted urlKeyword parameter. This parameter should be filled with data that exceeds the buffer size of 87 bytes, such as 5000 bytes of repeated characters. The week, startTime, and endTime parameters can be set to their default values. After the payload is sent, the router's management interface will become unresponsive or crash, indicating that the buffer overflow has been successfully triggered.