Totolink N300RT Buffer Overflow Vulnerability in Web Interface

A stack-based buffer overflow vulnerability has been identified in the Totolink N300RT router, specifically in the boa web server, within the function 'is_cmd_string_valid' of the component 'libapmib.so'. This vulnerability exists in routers running firmware version 3.4.0-B20250430 or earlier. The issue arises because the function fails to properly validate the length of the 'localPin' parameter in the '/boafrm/formWsc' endpoint. An authenticated attacker can exploit this vulnerability by sending a crafted POST request with an oversized payload, bypassing Cross-Site Request Forgery (CSRF) and token checks. This exploitation can lead to a Denial of Service (DoS) condition or potentially allow for Remote Code Execution (RCE).

Impact

Exploitation of this vulnerability causes a Denial of Service (DoS) condition, where the router's management interface becomes inaccessible. Additionally, this vulnerability could be exploited to execute arbitrary code remotely on the device.

Reproduction

To reproduce this vulnerability, log into the router to obtain a valid 'sessionCheck' token. Then, send a POST request to the '/boafrm/formWsc' endpoint, including the 'sessionCheck' token and a 'localPin' parameter padded with an excessive amount of data to overflow the buffer. After the payload is sent, the 'boa' web service will crash, causing a Denial of Service by making the router's management interface unavailable.