Headline
CVE-2022-37235: Bug-Report/netgear-R7000-0x461bc.md at main · Davidteeri/Bug-Report
Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware. There is a stack overflow vulnerability caused by strncat
Vulnerability Report
Vendor: NETGEAR
Product: Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router
Version: R7000-V1.0.11.134_10.2.119 (Download Linkhttps://www.netgear.com/support/download/?model=R7000)
Type: Stack-based Buffer Overflow
Vulnerability description
We found a buffer overflow vulnerability in AC1900 with R7000-V1.0.11.134_10.2.119 firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution
Remote Command Execution
In wl binary, there is a stack overflow vulnerability caused by strncat.
In function 0x461bc, the value of pcVar1 is obtained through fgets with the maximum length 0x200 byte. The value of pcVar1 will be copied to ppcVar4 (actually copied to the local_70 array by moving the pointer)
The local_70 is passed as parameter to function 0x45e18.
In function 0x45E18, the a2 parameter is copied to v16. v16 will be copied to v12. Then v12 will be passed as a parameter to the function pointer (v3+1).
The function pointer may point to function 0x3c0c4.
In function 3xc0c4, a3 (with a maximum length of 0x200) will be assigned to v5.
The v5 will be copied to v19 through strncat. The buffer of v19 is 100 bytes. So a buffer overflow may occur.