TOTOLINK A3600R Buffer Overflow Vulnerability in setAppEasyWizardConfig Function

A buffer overflow vulnerability has been identified in the TOTOLINK A3600R router, specifically in the firmware version 5.9c.4959. The issue arises within the 'setAppEasyWizardConfig' function of the '/lib/cste_modules/app.so' library. The vulnerability is caused by improper validation of the 'apcliSsid' parameter, which allows remote attackers to manipulate the input and trigger a buffer overflow. This exploitation could lead to arbitrary code execution or cause a denial-of-service condition by crashing the device.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, where the 'apcliSsid' parameter is copied into a fixed-size buffer without proper length checks. This overflow can overwrite adjacent memory on the stack, potentially allowing for arbitrary code execution or causing the device to crash, leading to a denial-of-service situation.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/cstecgi.cgi' endpoint. The request must include a 'topicurl' parameter set to 'setting/setAppEasyWizardConfig', and the 'apcliSsid' parameter must be filled with a string long enough to overflow the buffer. This can be done using a script that automates the process, such as one written in Python that uses the 'requests' library to send the crafted payload.