Headline
CVE-2022-37234: Bug-Report/netgear-R7000-0x461bc-strncpy.md at main · Davidteeri/Bug-Report
Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware. There is a stack overflow vulnerability caused by strncpy.
Vulnerability Report
Vendor: NETGEAR
Product: Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router
Version: R7000-V1.0.11.134_10.2.119 (Download Linkhttps://www.netgear.com/support/download/?model=R7000)
Type: Stack-based Buffer Overflow
Vulnerability description
We found a buffer overflow vulnerability in AC1900 with R7000-V1.0.11.134_10.2.119 firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution
Remote Command Execution
In wl binary, there is a stack overflow vulnerability caused by strncat.
In function 0x461bc, the value of pcVar1 is obtained through fgets with the maximum length 0x200 byte. The value of pcVar1 will be copied to ppcVar4 (actually copied to the local_70 array by moving the pointer)
The local_70 is passed as parameter to function 0x45e18.
In function 0x45E18, the a2 parameter is copied to v16. v16 will be copied to v12. Then v12 will be passed as a parameter to the function pointer (v3+1).
The function pointer may point to function 0x38b90.
In function 0x38b90, a3 (with a maximum length of 0x200) will be assigned to v5.
The v5 will be copied to v62 through strncpy. The buffer of v62 is 32 bytes. So a buffer overflow may occur.