CVE-2024-35387 in LR350
Summary
by MITRE • 05/24/2024
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/05/2025
The vulnerability identified as CVE-2024-35387 affects the TOTOLINK LR350 router running firmware version V9.3.5u.6369_B20220309 and represents a critical stack overflow condition that can be exploited through the http_host parameter within the loginAuth function. This type of vulnerability falls under the category of buffer overflow attacks where an attacker can manipulate input parameters to overwrite stack memory, potentially leading to arbitrary code execution or system compromise. The specific function loginAuth handles authentication requests and processes the http_host parameter, which serves as the entry point for the stack overflow exploitation. The vulnerability demonstrates a classic improper input validation flaw that allows attackers to inject malicious data exceeding the allocated buffer space, causing unpredictable behavior in the application's memory management.
The technical implementation of this vulnerability occurs when the router's web interface processes HTTP requests containing a crafted http_host parameter value that exceeds the predetermined buffer size allocated for handling host header information. This condition creates a stack-based buffer overflow that can be leveraged by remote attackers to overwrite adjacent memory locations including return addresses and function pointers. The attack vector is particularly concerning as it operates over HTTP protocols without requiring authentication, making it accessible to anyone who can send requests to the affected device. The vulnerability is classified as a CWE-121 stack-based buffer overflow, which is a well-documented weakness in software development practices that fails to properly validate input lengths before copying data into fixed-size buffers. According to the ATT&CK framework, this vulnerability maps to T1210 exploitation for execution, representing a technique where adversaries leverage buffer overflow conditions to execute arbitrary code on the target system.
The operational impact of CVE-2024-35387 extends beyond simple denial of service conditions, as successful exploitation can result in complete system compromise and unauthorized access to network resources. An attacker who successfully exploits this vulnerability could gain root access to the router's operating system, allowing them to modify network configurations, install malicious firmware, or establish persistent backdoors for future access. The router's role as a central network gateway makes it a prime target for attackers seeking to establish footholds within larger networks, as compromising the device can provide access to all connected devices and potentially enable lateral movement attacks. Additionally, the vulnerability affects network security policies since the router's authentication mechanisms are bypassed, allowing unauthorized users to gain administrative privileges. The impact is particularly severe in enterprise environments where multiple devices may be running the vulnerable firmware, potentially creating widespread network compromise.
Mitigation strategies for this vulnerability should include immediate firmware updates from TOTOLINK to address the identified stack overflow condition, as the manufacturer should have released patches to fix the input validation flaw in the loginAuth function. Network administrators should implement network segmentation and access controls to limit exposure of affected devices to untrusted networks, while also monitoring for suspicious traffic patterns that might indicate exploitation attempts. The implementation of web application firewalls and intrusion detection systems can help detect and block malicious requests containing oversized http_host parameters. Additionally, security teams should conduct thorough network assessments to identify all devices running the vulnerable firmware version and ensure proper patch management procedures are in place. Organizations should also consider implementing network monitoring solutions that can detect anomalous authentication patterns or unauthorized configuration changes that might indicate successful exploitation of this vulnerability. The remediation process should include comprehensive testing of updated firmware to ensure that the patch does not introduce compatibility issues with existing network configurations while maintaining the device's intended functionality.