TOTOLINK X15 Buffer Overflow Vulnerability in HTTP POST Request Handler

A critical buffer overflow vulnerability has been identified in the TOTOLINK X15 router, specifically in version 1.0.0-B20230714.1105. The vulnerability resides in an unknown function of the file '/boafrm/formMapDelDevice', within the HTTP POST request handler component. The issue is triggered by manipulating the 'macstr' argument, leading to a stack-based buffer overflow. This vulnerability can be exploited remotely, and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to arbitrary code execution or a denial-of-service condition on the device.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP POST request to the '/boafrm/formMapDelDevice' endpoint. The 'macstr' argument must be populated with a payload that exceeds the buffer's capacity, causing a stack overflow. This can be done using a series of 'a' characters to overflow the buffer. Additionally, the same endpoint can be used to demonstrate command injection by including a command in the 'macstr' argument, such as '1; touch /1.txt &', which would create a file named '1.txt' on the device.