Totolink A3002MU Stack-Based Buffer Overflow Vulnerability in WLAN Setup HTTP Request Handler

A stack-based buffer overflow vulnerability has been identified in the Totolink A3002MU router, specifically in the firmware version B20211125.1046. The issue arises in the HTTP request handler function 'formWlanSetup', located in the binary file '/bin/boa'. The vulnerability is triggered by the 'wan-url' parameter, which is accepted from user input without proper length validation. This oversight allows an attacker to send a maliciously long 'wan-url' string, causing the buffer to overflow, corrupt adjacent memory, and potentially leading to a denial-of-service condition. The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, where the overflowed buffer is located on the stack. This type of vulnerability can often be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a POST request to '/boafrm/formWlanSetup' with a 'wan-url' parameter. The value of the 'wan-url' should be crafted to exceed the buffer's size limit, causing a stack-based overflow. The request can be made using a tool like Burp Suite or through a custom script that automates the process.