Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35055: TALOS-2023-1761 || Cisco Talos Intelligence Group

A buffer overflow vulnerability exists in the httpd next_page functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.This buffer overflow is in the next_page parameter in the gozila_cgi function.

CVE
#vulnerability#web#cisco#intel#buffer_overflow#auth#wifi

SUMMARY

A buffer overflow vulnerability exists in the httpd next_page functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0_20221108

PRODUCT URLS

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 offers several APIs. A few of them offer the possibility of redirecting the client to a specific page after the API is performed. The piece of code that does this is the following:

[...]
next_page = (char *)websGetVar(fd,"next_page",0);
if (next_page != (char *)0x0) {
  strcpy(URL_path,next_page);
}
[...]

The URL_path is a char pointer to a static buffer that lives in the stack of the first function that receives the HTTP request.

Because the next_page is fetched from the request’s data and then used directly in a strcpy, this pattern is vulnerable to a stack buffer overflow.

CVE-2023-35055 - gozila_cgi

The gozila_cgi function is affected by this vulnerable pattern. Following the API function that calls the gozila_cgi function:

void cgi_handler(undefined mime,char *URL_path,dword fd,char *query_string)

{
  [...]

  if (post == 1) {
    request_data = POST_DATA;
  }
  else {
    request_data = URL_path;
    query_string = strsep(&request_data,"?");
    if (query_string != (char *)0x0) {
      URL_path = query_string;
    }
    init_cgi(request_data);
  }
  request_data_ = request_data;
  need_reboot = (char *)websGetVar(fd,"need_reboot","0");
  need_rebot_value = atoi(need_reboot);
  change_action = (char *)websGetVar(fd,"change_action","");
  if ((change_action != (char *)0x0) && (is_gozila = strcmp(change_action,"gozila_cgi"), is_gozila == 0)) {
    gozila_cgi(fd,0,URL_path);                                                                                  [1]
    goto RET;
  }
  [...]
}

At [1] the gozila_cgi function is called, and eventually the pattern shown above is reached:

int gozila_cgi(undefined4 fd,undefined param_2,char *URL_path)

{
    [...]

    nvram_set("gozila_action","1");
    next_page = '\0';
    submit_button = websGetVar(fd,"submit_button",0);
    submit_type = websGetVar(fd,"submit_type",0);
    godzila_ptr = (godzila_object *)handle_gozila_action(submit_button,submit_type);
    [...]
    next_page = (char *)websGetVar(fd,"next_page",0);
    if (next_page != (char *)0x0) {
      strcpy(URL_path,next_page);
    }
    [...]
}

This vulnerability can be reached without authentication.

CVE-2023-35056 - cgi_handler

The cgi_handler function is the entry point for different APIs. This function is affected by this vulnerable pattern:

void cgi_handler(undefined mime,char *URL_path,dword fd,char *query_string)

{
  [...]

  if (post == 1) {
    request_data = POST_DATA;
  }
  else {
    request_data = URL_path;
    query_string = strsep(&request_data,"?");
    if (query_string != (char *)0x0) {
      URL_path = query_string;
    }
    init_cgi(request_data);
  }
  request_data_ = request_data;
  need_reboot = (char *)websGetVar(fd,"need_reboot","0");
  need_rebot_value = atoi(need_reboot);
  change_action = (char *)websGetVar(fd,"change_action","");
  if ((change_action != (char *)0x0) && (is_gozila = strcmp(change_action,"gozila_cgi"), is_gozila == 0)) {
    gozila_cgi(fd,0,URL_path);
    goto RET;
  }
  [...]
  next_page = (char *)websGetVar(fd,"next_page",0);
  if (next_page != (char *)0x0) {
    strcpy(URL_path,next_page);
  }
  [...]
}

This vulnerability can be reached without authentication.

TIMELINE

2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.

10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907