Headline

CVE-2023-24095: cve/README.md at master · chunklhit/cve

** UNSUPPORTED WHEN ASSIGNED ** TrendNet Wireless AC Easy-Upgrader TEW-820AP v1.0R, firmware version 1.01.B01 was discovered to contain a stack overflow via the submit-url parameter at /formSystemCheck. This vulnerability allows attackers to execute arbitrary code via a crafted payload. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

2 years ago

CVE

Open in Source

#vulnerability #web #dos #rce #buffer_overflow

Overview

Vendor of the products: TRENDNet (https://www.trendnet.com/)

Reported by: johnawm of HIT-IDS ChunkL Team

Product: TRENDNet TEW-820AP (Version v1.0R)

Affected Version: TRENDNet TEW-820AP 1.01.B01

Firmware: https://downloads.trendnet.com/tew-820ap/firmware/tew-820apv1_(fw1.01b01).zip

Vulnerability Details

A stack overflow vulnerability exists in TrendNet Wireless AC Easy-Upgrader TEW-820AP (Version v1.0R, firmware version 1.01.B01) which may result in remote code execution or denial of service. The issue exists in the binary “boa” which resides in “/bin” folder, and the binary is responsible for serving http connection received by the device. While processing the post reuqest "/boafrm/formSystemCheck", the value of “submit-url” parameter (as shown at line 33-35 of Figure A) which can be arbitrarily long is copied onto stack memory by “sprintf” function (as shown at line 20 of Figure B), and could lead to a buffer overflow. The attackers can construct a payload to carry out arbitrary code attacks.

Figure A: The decompiled code of function which read value of parameter “submit-url” and call send_redirect_perm function with the value as a parameter.

Figure B: The decompiled code of function send_redirect_perm.

Reproduce and POC

To reproduce the vulnerability, the following steps can be followed: