Totolink X5000R Buffer Overflow Vulnerability in DDNS Management Endpoint

A buffer overflow vulnerability has been identified in the Totolink X5000R router, specifically in the firmware version 9.1.0u.6369_B20230113. The issue arises in the '/boafrm/formDdns' endpoint, within the 'sub_458E40' function, where the 'submit-url' parameter is processed without proper input validation. This oversight allows remote attackers to send oversized 'submit-url' values, leading to stack memory overwriting. Such exploitation can cause application crashes, memory corruption, and potentially allow arbitrary code execution on the server.

Impact

Exploitation of this vulnerability can cause the web server to crash, making the device's management interface unavailable. Additionally, it can be exploited to execute arbitrary code, allowing attackers to gain full control over the router. This could lead to monitoring network traffic or using the router as a launch point for attacks on other devices within the network.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/boafrm/formDdns' endpoint with an oversized 'submit-url' parameter. This can be done using a tool like Burp Repeater, without the need for authentication.