Totolink NR1800X Stack-Based Buffer Overflow Vulnerability in Lighttpd Component

A stack-based buffer overflow vulnerability has been identified in the Totolink NR1800X router, specifically in the lighttpd web server component, within the firmware version 9.1.0u.6279_B20210910. The vulnerability arises in the 'find_host_ip' function, where the absence of proper length validation allows for the exploitation of an overly long 'Host' header. This memory corruption can be triggered remotely, leading to a denial-of-service condition by causing the web service to crash.

Impact

Exploitation of this vulnerability causes the web service to become unavailable, with the device refusing connections. This denial-of-service condition is accompanied by a segmentation fault in the device's runtime logs, indicating a crash of the lighttpd process.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with an excessively long 'Host' header, exceeding 512 bytes. This can be done using a simple Python script that establishes a socket connection to the router's web server, sending the crafted request. After the exploitation, the device will refuse connections, and the lighttpd service will crash, as observed in the runtime logs.