A vulnerability was found in Totolink N350RT 9.3.5u.6139_B20201216. It has been rated as critical. This issue affects some unknown processing of the file /cgi-bin/cstecgi.cgi?action=login&flag=ie8 of the component HTTP POST Request Handler. The manipulation leads to stack-based buffer overflow. The exploit has been disclosed to the public and may be used. The identifier VDB-249389 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Critical vulnerability CVE-2023-7187 in Totolink N350RT routers allows for remote code execution due to a stack-based buffer overflow. Successful exploitation grants attackers complete control over the device, potentially leading to network compromise and data theft, as the vendor has not responded to the disclosure, leaving the vulnerability unpatched.
Step 1: Target Identification: Identify vulnerable Totolink N350RT routers running firmware version 9.3.5u.6139_B20201216 accessible from the network.
Step 2: Request Crafting: Construct a malicious HTTP POST request to /cgi-bin/cstecgi.cgi?action=login&flag=ie8. The POST request body will contain a specially crafted payload designed to overflow a buffer.
Step 3: Payload Delivery: Send the crafted HTTP POST request to the target router.
Step 4: Buffer Overflow: The router's web server processes the request and attempts to store the oversized payload in a stack-allocated buffer. Due to the lack of bounds checking, the payload overflows the buffer, overwriting adjacent memory, including the return address.
Step 5: Control Hijack: The overwritten return address is now pointing to either attacker-controlled shellcode or a gadget within the program's memory. When the vulnerable function returns, control is transferred to the attacker's code.
Step 6: Code Execution: The attacker's code executes, granting them control over the router. This can involve executing commands, installing malware, or gaining persistent access.
The vulnerability lies within the /cgi-bin/cstecgi.cgi?action=login&flag=ie8 endpoint, specifically in how the HTTP POST request is handled. The root cause is a stack-based buffer overflow. The application fails to properly validate the size of user-supplied input within the HTTP POST request, leading to an overflow when the input exceeds the allocated buffer size on the stack. This overflow overwrites adjacent memory, including the return address. By carefully crafting the input, an attacker can overwrite the return address with the address of malicious code (shellcode) or a gadget within the program's memory, achieving arbitrary code execution.