TOTOLINK T6 Buffer Overflow Vulnerability in MQTT Service

A critical buffer overflow vulnerability has been identified in the TOTOLINK T6 router, specifically in version 4.1.5cu.748_B20211015. The issue arises in the MQTT service's 'updateWifiInfo' function, where the 'serverIp' argument can be manipulated, leading to memory corruption. This vulnerability can be exploited remotely, with public knowledge of the exploit available.

Impact

Exploitation of this vulnerability allows for a buffer overflow, which can be used to overwrite the saved return address and potentially execute arbitrary code remotely.

Reproduction

The vulnerability can be reproduced by sending a crafted MQTT message to the router's open MQTT service on port 1883. The message should include a 'serverIp' argument that exceeds the buffer size of 128 bytes, without proper length validation. This will trigger the buffer overflow by overwriting the return address on the stack.