CVE-2022-44254 - Post-Authentication Buffer Overflow in TOTOLINK LR350 V9.3.5u.6369_B20220309 Firmware

It has come to our attention that routers, specifically the TOTOLINK LR350 running on firmware V9.3.5u.6369_B20220309, are vulnerable to a post-authentication buffer overflow attack. This vulnerability has been assigned CVE-2022-44254 by the Common Vulnerabilities and Exposures (CVE) organization. In this post, we will dive into the details of this vulnerability, the potential impact, and the steps you can take to secure your network.

Affected Product

TOTOLINK LR350 Router running firmware V9.3.5u.6369_B20220309

Vulnerability Overview

This vulnerability is a post-authentication buffer overflow that occurs in the setSmsCfg function, which is accessed via the router's administrative interface. This interface is typically used by authorized administrators to configure and maintain the router's settings. However, an attacker who has gained access to the interface could exploit this vulnerability by sending a crafted request to the router containing a maliciously long text parameter specifically crafted to overflow the buffer.

The vulnerable code snippet

#define SMS_CFG_NUM 64
#define SMS_CFG_SIZE 60
...
char szSmsCfg[SMS_CFG_NUM][SMS_CFG_SIZE];
memset(szSmsCfg, , sizeof(szSmsCfg));

for (int nIndex = ; nIndex < SMS_CFG_NUM; nIndex++)
{
    snprintf(szKey, sizeof(szKey) – 1, “txtSmsCfg_%d”, nIndex);
    str = websGetVar(wp, szKey, T(“”));
    strncpy(szSmsCfg[nIndex], str, SMS_CFG_SIZE);
}

The issue lies in the strncpy function copy operation. When the user sends a request containing a significantly long text parameter, it overflows the szSmsCfg buffer, corrupting adjacent memory structures.

Detailed Exploit

An authenticated attacker could exploit this vulnerability by sending a maliciously crafted POST request to the setSmsCfg function, causing a buffer overflow:

POST /goform/formSmsCfg HTTP/1.1
Host: target_ip
Content-Type: application/x-www-form-urlencoded
Content-Length: <calculated_length>

txtSmsCfg_=<maliciously_long_string>&txtSmsCfg_1=...&txtSmsCfg_63=...

Where <maliciously_long_string> is a string with a length significantly greater than the buffer size (SMS_CFG_SIZE = 60). This overflow could result in arbitrary code execution, denial of service, or other unexpected behavior.

Mitigation

As of now, no official patch has been released by TOTOLINK to address this vulnerability. However, there are several steps you can take to minimize the potential impact of this issue:

Ensure that only authorized administrators have access to your router's administration interface.

2. Regularly update your router's firmware to the latest available version, as this may help minimize the risk of exploit.

Original References

- CVE-2022-44254 MITRE Entry
- TOTOLINK LR350 Official Product Page

Conclusion

The post-authentication buffer overflow vulnerability (CVE-2022-44254) in TOTOLINK LR350 routers running on firmware V9.3.5u.6369_B20220309 is a serious issue that could result in arbitrary code execution, denial of service, or other unexpected behavior. While no official patch has been released at this time, it is crucial to ensure that only authorized administrators have access to the router's administrative interface, update the router's firmware regularly, and monitor your network for any suspicious activity.

Timeline

Published on: 11/23/2022 16:15:00 UTC
Last modified on: 11/26/2022 03:43:00 UTC