Headline
CVE-2023-34346: TALOS-2023-1764 || Cisco Talos Intelligence Group
A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
SUMMARY
A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Yifan YF325 v1.0_20221108
PRODUCT URLS
YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html
CVSSv3 SCORE
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-489 - Leftover Debug Code
DETAILS
The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.
The YF325 router provides a series of APIs. The API that manages the gwcfg.cgi/get* endpoints uses a specific function to parse the incoming data; this API is probably a left over debug code. This API uses the httpd’s gwcfg_cgi_get_manage_post_data function to parse the incoming data:
void gwcfg_cgi_get_manage_post_data(undefined4 URL_path,undefined4 client_FD,undefined4 content_length)
{
[...]
memset(post_data,0,0x400);
APP_TRACE("do_get_cfg_post url:%s,len:%d\n",URL_path,content_length);
abc_var = websGetVar(client_FD,"abc","0");
if (abc_var != 0) {
APP_TRACE("abc:%s\n",abc_var);
}
read_n = wfread(post_data,1,content_length,client_FD); [1]
APP_TRACE("wfread ret:%d\n",read_n);
APP_TRACE("do_get_cfg_post buf:%s\n",post_data);
return;
}
The function reads, at [1], the data of the request using the provided Content-Length. Because the content length is not checked against the length of the post_data static buffer, there is a stack-base buffer overflow at [1]. This function is reachable prior to authentication.
TIMELINE
2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.