CVE-2024-0572: Totolink LR1200GB Buffer Overflow Flaw

CVE-2024-0572 Overview

A critical stack-based buffer overflow vulnerability has been identified in Totolink LR1200GB firmware version 9.1.0u.6619_B20230130. The vulnerability exists in the setOpModeCfg function located in the /cgi-bin/cstecgi.cgi file. Attackers can exploit this flaw by manipulating the pppoeUser argument, potentially leading to remote code execution on affected devices. The exploit has been publicly disclosed, and the vendor was contacted about this issue but did not respond.

Critical Impact

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable Totolink LR1200GB routers, potentially leading to complete device compromise and network infiltration.

Affected Products

• Totolink LR1200GB Firmware version 9.1.0u.6619_B20230130
• Totolink LR1200GB Hardware

Discovery Timeline

• 2024-01-16 - CVE-2024-0572 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-0572

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a severe memory corruption flaw that occurs when data written to a buffer on the stack exceeds the allocated space. In the case of CVE-2024-0572, the setOpModeCfg function in the Totolink LR1200GB router's CGI handler fails to properly validate the length of the pppoeUser parameter before copying it to a fixed-size stack buffer.

The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction. Successful exploitation could allow an attacker to overwrite critical stack data, including return addresses, enabling arbitrary code execution with the privileges of the web server process—typically root on embedded devices like routers.

Root Cause

The root cause of this vulnerability is improper input validation within the setOpModeCfg function. When processing HTTP requests to /cgi-bin/cstecgi.cgi, the function copies the pppoeUser argument into a stack-allocated buffer without performing adequate bounds checking. This allows an attacker to supply an oversized value that overflows the buffer and corrupts adjacent stack memory.

Attack Vector

The attack vector for CVE-2024-0572 is network-based, allowing remote exploitation. An attacker can craft a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint with an oversized pppoeUser parameter value. The attack requires no prior authentication and no user interaction, making it particularly dangerous for internet-exposed devices.

The exploitation process involves sending a specially crafted POST request to the vulnerable CGI endpoint. By providing a pppoeUser value that exceeds the expected buffer size, an attacker can overwrite stack memory, including the saved return address. This enables redirection of program execution to attacker-controlled shellcode or existing code gadgets (ROP chains) to achieve arbitrary code execution.

For technical exploitation details, refer to the GitHub PoC Repository and the VulDB Advisory #250788.

Detection Methods for CVE-2024-0572

Indicators of Compromise

• Unusual HTTP POST requests to /cgi-bin/cstecgi.cgi containing excessively long pppoeUser parameter values
• Abnormal process behavior or crashes on Totolink LR1200GB devices
• Unexpected outbound network connections from the router to unknown external IPs
• Router configuration changes or new admin accounts appearing without authorization

Detection Strategies

• Deploy network intrusion detection rules to identify HTTP requests to /cgi-bin/cstecgi.cgi with abnormally large pppoeUser parameters exceeding normal length thresholds
• Monitor for process crashes or restarts on the router that may indicate exploitation attempts
• Implement web application firewall (WAF) rules to inspect and block requests with oversized POST parameters targeting CGI endpoints

Monitoring Recommendations

• Enable logging on network perimeter devices to capture all traffic destined for Totolink router management interfaces
• Review router access logs for requests targeting the setOpModeCfg function or related CGI endpoints
• Implement alerting for any management interface access from unauthorized IP ranges or external networks

How to Mitigate CVE-2024-0572

Immediate Actions Required

• Restrict management interface access to trusted internal networks only—do not expose the router's web interface to the internet
• Implement firewall rules to block external access to port 80/443 on affected Totolink devices
• Consider replacing affected devices with supported hardware from vendors with active security response programs
• Monitor network traffic for exploitation attempts while awaiting vendor remediation

Patch Information

As of the last modification date (2024-11-21), no official patch has been released by Totolink. The vendor was contacted about this disclosure but did not respond. Users should check the VulDB Advisory and Totolink support channels for any future firmware updates addressing this vulnerability.

Workarounds

• Disable remote management features and restrict access to the router's web interface to local network segments only
• Place the affected router behind a firewall that blocks all inbound traffic to the management interface from untrusted networks
• Consider implementing network segmentation to isolate the vulnerable device from critical infrastructure
• Use a VPN for any necessary remote administration rather than exposing the management interface directly

# Example iptables rules to restrict access to router management interface
# Apply these on an upstream firewall protecting the Totolink device

# Block external access to HTTP management interface
iptables -A FORWARD -p tcp --dport 80 -d <ROUTER_IP> -j DROP
iptables -A FORWARD -p tcp --dport 443 -d <ROUTER_IP> -j DROP

# Allow management only from trusted admin subnet
iptables -I FORWARD -p tcp --dport 80 -s 192.168.1.0/24 -d <ROUTER_IP> -j ACCEPT
iptables -I FORWARD -p tcp --dport 443 -s 192.168.1.0/24 -d <ROUTER_IP> -j ACCEPT