CVE-2024-0574: Totolink LR1200GB Buffer Overflow Flaw

CVE-2024-0574 Overview

A critical stack-based buffer overflow vulnerability has been identified in the Totolink LR1200GB router firmware version 9.1.0u.6619_B20230130. The vulnerability exists in the setParentalRules function within the /cgi-bin/cstecgi.cgi file, where improper handling of the sTime argument allows remote attackers to overflow the stack buffer and potentially execute arbitrary code on the affected device.

Critical Impact

This vulnerability enables unauthenticated remote attackers to exploit a stack-based buffer overflow, potentially leading to complete device compromise, arbitrary code execution, and full control over the affected router.

Affected Products

• Totolink LR1200GB Firmware version 9.1.0u.6619_B20230130
• Totolink LR1200GB Hardware

Discovery Timeline

• January 16, 2024 - CVE-2024-0574 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2024-0574

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a memory corruption flaw that occurs when user-controlled data exceeds the allocated buffer size on the stack. The vulnerable setParentalRules function in the CGI binary fails to properly validate the length of the sTime parameter before copying it into a fixed-size stack buffer.

When a specially crafted request containing an oversized sTime value is sent to the /cgi-bin/cstecgi.cgi endpoint, the function copies the input without boundary checking, causing adjacent stack memory to be overwritten. This can corrupt the return address and other critical stack data, enabling an attacker to redirect program execution to malicious code.

The exploit has been publicly disclosed, and the vendor (Totolink) was contacted about this vulnerability but did not respond. This lack of vendor response increases the risk profile for organizations using affected devices.

Root Cause

The root cause of this vulnerability is insufficient input validation in the setParentalRules function. The firmware fails to verify that the sTime argument length does not exceed the destination buffer size before performing the copy operation. This classic programming error allows attackers to supply arbitrarily long input strings that overflow the stack buffer.

Attack Vector

The attack can be launched remotely over the network without any authentication or user interaction. An attacker sends a malicious HTTP request to the /cgi-bin/cstecgi.cgi endpoint with an oversized sTime parameter value targeting the setParentalRules function. The overflow corrupts the stack frame, potentially allowing the attacker to overwrite the return address and hijack program execution.

The network-accessible nature of the CGI interface combined with the lack of authentication requirements makes this vulnerability particularly dangerous for internet-exposed Totolink LR1200GB routers.

Detection Methods for CVE-2024-0574

Indicators of Compromise

• Unusual HTTP POST requests to /cgi-bin/cstecgi.cgi containing abnormally long sTime parameter values
• Router crashes, reboots, or unexpected behavior following network activity
• Unexpected outbound network connections from the router to unknown external hosts
• Modified router configuration or new administrative accounts created without authorization

Detection Strategies

• Deploy network intrusion detection rules to identify HTTP requests to /cgi-bin/cstecgi.cgi with sTime parameters exceeding normal length thresholds
• Monitor web server access logs for suspicious CGI requests containing buffer overflow patterns or unusually long parameter values
• Implement deep packet inspection at network boundaries to detect exploitation attempts targeting Totolink devices
• Use asset inventory tools to identify all Totolink LR1200GB routers running the vulnerable firmware version 9.1.0u.6619_B20230130

Monitoring Recommendations

• Enable comprehensive logging on network firewalls and monitor traffic to and from Totolink router management interfaces
• Set up alerts for abnormal traffic patterns or connection attempts to router administration ports
• Regularly review router system logs for crash events or unexpected restarts that may indicate exploitation attempts
• Implement network segmentation to isolate IoT and network devices from critical infrastructure

How to Mitigate CVE-2024-0574

Immediate Actions Required

• Restrict network access to the router management interface by implementing firewall rules to allow only trusted IP addresses
• Disable remote management functionality if not required and ensure the device is not directly exposed to the internet
• Consider replacing the affected Totolink LR1200GB device with an alternative router from a vendor with active security support
• Monitor the device closely for signs of compromise until a permanent mitigation can be implemented

Patch Information

At the time of publication, no official patch is available from Totolink. The vendor was contacted about this vulnerability but did not respond. Organizations should monitor the GitHub Vulnerability Report and VulDB entry for updates on any vendor response or community-developed mitigations.

Workarounds

• Implement strict access control lists (ACLs) on upstream network devices to block external access to the router's CGI interface on port 80/443
• Place the router behind a properly configured firewall that filters incoming requests to /cgi-bin/cstecgi.cgi
• Deploy a web application firewall (WAF) rule to detect and block requests with oversized sTime parameters
• If possible, disable the parental controls feature that uses the vulnerable setParentalRules function until a patch becomes available

# Example firewall rule to restrict access to router management interface
# Block external access to CGI endpoints on the router
iptables -A FORWARD -d <ROUTER_IP> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <ROUTER_IP> -p tcp --dport 443 -j DROP

# Allow only trusted management subnet
iptables -I FORWARD -s 192.168.1.0/24 -d <ROUTER_IP> -p tcp --dport 80 -j ACCEPT