TOTOLINK X2000R_V2(V2.0.0-B20230727.10434) router buffer overflow vulnerability

Information

Firmware：https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/259/ids/36.html

Affected Version

V2.0.0-B20230727.1043

Detail

sub_4594C0 (handle function of formMapDelDevice) of /bin/boa in firmware has multiple buffer overflow vulnerabilities.

0x459604

Parameter "hostname" is read from HTTP request into $v0_8, then copied to stack variable var_74. When "hostname" has excessive length, this would result an stack buffer overflow.

0x459560

Parameter "macstr" is read from HTTP request into $v0. Parameter "bandstr" is read from HTTP request into $v0_1.

Stack variable var_120 is constructed using sprintf. When "macstr" or "bandstr" has excessive length, this would result an stack buffer overflow.

0x45959c

Parameter "submit_url" is read from HTTP request and used as 2nd parameter in sub_40bddc at 0x45959c

arg2 is assigned to $s2, stack variable var_120 is constructed using sprintf. When arg2 has excessive length, this would result an stack buffer overflow.

PoC

I'm not able to provide full exploit for this vulnerability due to legal reasons.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

5.md

5.md

TOTOLINK X2000R_V2(V2.0.0-B20230727.10434) router buffer overflow vulnerability

Information

Affected Version

Detail

0x459604

0x459560

0x45959c

PoC

Files

5.md

Latest commit

History

5.md

File metadata and controls

TOTOLINK X2000R_V2(V2.0.0-B20230727.10434) router buffer overflow vulnerability

Information

Affected Version

Detail

0x459604

0x459560

0x45959c

PoC