TOTOLINK T6 Buffer Overflow Vulnerability in MQTT Packet Handler

A critical buffer overflow vulnerability has been identified in the TOTOLINK T6 router, specifically in the firmware version 4.1.5cu.748_B20211015. The issue arises in the MQTT Packet Handler component, within the function 'tcpcheck_net' of the file '/router/meshSlaveDlfw'. The vulnerability is caused by the 'serverIp' argument being manipulated, leading to a buffer overflow. This flaw can be exploited remotely, allowing an attacker to overwrite the saved return address and execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a buffer overflow, allowing for remote code execution on the affected device.

Reproduction

To reproduce this vulnerability, send a malicious packet over MQTT to the 'totolink/router/meshSlaveDlfw' topic. The packet must be crafted to exploit the buffer overflow in the 'tcpcheck_net' function by overwriting the return address with a value that directs execution to a controlled location.