Headline

CVE-2023-24098: cve/README.md at master · chunklhit/cve

** UNSUPPORTED WHEN ASSIGNED ** TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formSysLog. This vulnerability allows attackers to execute arbitrary code via a crafted payload. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

2 years ago

CVE

Open in Source

#vulnerability #web #dos #rce #buffer_overflow

Overview

Vendor of the products: TRENDNet (https://www.trendnet.com/)

Reported by: johnawm of HIT-IDS ChunkL Team

Product: TRENDNet TEW-820AP (Version v1.0R)

Affected Version: TRENDNet TEW-820AP 1.01.B01

Firmware: https://downloads.trendnet.com/tew-820ap/firmware/tew-820apv1_(fw1.01b01).zip

Vulnerability Details

A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution or denial of service. The issue exists in the binary “boa” which resides in “/bin” folder, and the binary is responsible for serving http connection received by the device. While processing the post reuqest "/boafrm/formSysLog", the value of “submit-url” parameter (as shown at line 40,207,218 of Figure A) which can be arbitrarily long is copied onto stack memory by “sprintf” function (as shown at line 20 of Figure B), and could lead to a buffer overflow. The attackers can construct a payload to carry out arbitrary code attacks.

Figure A: The decompiled code of function which read value of parameter “submit-url” and call send_redirect_perm function with the value as a parameter.

Figure B: The decompiled code of function send_redirect_perm.

Reproduce and POC

To reproduce the vulnerability, the following steps can be followed: