Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34832: CVE-2023-34832 : Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220

TP-Link Archer AX10(EU)_V1.2_230220 was discovered to contain a buffer overflow via the function FUN_131e8 - 0x132B4.

CVE
#perl#buffer_overflow#auth

# Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220

# Exploit Author: Giuseppe Compare

# Date : 26/05/2023

# CVE: CVE-2023-34832

# Vendor Homepage: https://www.tp-link.com/

# Version: TP-Link Archer AX10(EU)_V1.2_230220

Buffer Overflow

There is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49

memset(&DAT_000283a4,0,0x800);

sprintf(&DAT_000283a4,"echo \’[ %s ] %d: get OCN v6plus rules begin\n \’ > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4);

//line 47-49

sprintf((char *)&local_428, “https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==” ,param_2 + 0x23,param_2[0x2d]);

The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow.

Remediation

Guarantee that storage for strings has sufficient space for character data and the null terminator.

Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants.

Double check that your buffer is as large as you specify.

Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.

Related news

TP-Link Archer AX10(EU)_V1.2_230220 Buffer Overflow

TP-Link Archer version AX10(EU)_V1.2_230220 suffers from a buffer overflow vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907