CVE-2022-37232: Bug-Report/netgear-n300-0x429cbc.md at main · Davidteeri/Bug-Report

Vulnerability Report

Vendor: NETGEAR

Product: N300 wireless router

Version: wnr2000v4-V1.0.0.70 (Download Link:https://www.netgear.com/support/download/?model=WNR2000v4)

Type: Stack-based Buffer Overflow

Vulnerability description

We found a buffer overflow vulnerability in N300 with wnr2000v4-V1.0.0.70 firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution

Remote Command Execution

In uhttpd binary, there is a stack overflow vulnerability caused by strcat.

1.In Function 0x429CBC, the contents of v9 will be copied to v25. The value of v9 is obtainedthrough GetNameValue, which is NewMACAddress (This value can be set by post).

2.The length of v25 is allocated 64 bytes. So when the length of v9 exceeds 64 bytes, a stackoverflow occurs. Also, strtok takes the substring v13 from v25. Then v13 is concatenated tov24. The length of v24 is 64 bytes. A buffer overflow occurs if the length of v13 is greater than 64 bytes.