Linksys EA7500 Routers Flaw Let Attackers Execute Remote Code
A severe security vulnerability has been recognized in the Linksys EA7500 routers, particularly affecting the model’s firmware all the absolute most realistic contrivance through all variations, collectively with the most up-to-date Ver.3.0.1.207964.
This flaw, if exploited, permits attackers with network adjacency to form arbitrary code on the instrument with out requiring authentication, posing a necessary anguish to customers’ network security.
CVE-2023-46012: A long way away Code Execution Vulnerability
The vulnerability resides in the handling of HTTP demand files by the Internet Gateway Machine (IGD) Popular Stagger and Play (UPnP) provider of the routers, as reported by Linksys.
The flaw is introduced about in the heart of the processing of a SOAP UPnP Movement Request of, the assign the router fails to adequately validate the scale of user-supplied files sooner than copying it to a collection-size stack buffer.
Susceptible Feature: SetDefaultConnectionService
The necessary procedure at the heart of this vulnerability is, recognized internally as _set_connection_type.
This procedure initializes an 184-byte buffer and makes an strive to tackle a user-supplied string variable. It does this by calling PAL_xml_node_GetFirstbyName and then PAL_xml_node_get_value.
Peek the code below:
int _set_connection_type(int **param_1) { int iVar1; char *var_value; size_t var_value_length; undefined uVar2; undefined1 *puVar3; char **ppcVar4; undefined4 *puVar5; char *pcVar6; int *piVar7; char acStack_d4 [184]; -----> /* Initializing 184-byte buffer */ memset(acStack_d4,0,0xb4); iVar1 = PAL_xml_node_GetFirstbyName((*param_1)[0xf0],"NewConnectionType",0); -----> /* iVar1 now points to the user-supplied value */ if ((iVar1 != 0) && (var_value = (char *)PAL_xml_node_get_value(), var_value != (char *)0x0)) { -----> /* Ensures the user-supplied value is not empty and obtains a pointer to it */ ...
On the opposite hand, an extraordinarily lengthy string can lead to a buffer overflow as a result of inferior validation.
This condition is exacerbated through the strncpy
procedure, which doesn’t ensure null termination or take a look at the scale of the destination buffer, allowing an attacker to overwrite necessary memory areas and doubtlessly hijack this system’s abet watch over scurry alongside with the walk.
Peek the code below:
int _set_connection_type(int **param_1) { ... var_value_length = strlen((char *)(iVar1 + 0x174)); ----> /* iVar1 is a pointer to the user supplied string */ strncpy(acStack_d4,(char *)(iVar1 + 0x174),var_value_length + 1); ----> /* Vulnerable strncpy call */ ...
An attacker can situation off the buffer overflow by crafting a malicious HTTP demand with an oversized string variable.
The train vulnerability permits the overwriting of a procedure return address on the stack, enabling redirection of execution to arbitrary addresses controlled by the attacker.
This may perchance perchance well well lead to unauthorized code execution with root privileges, compromising the entire instrument.
The Linksys EA7500 router customers are urged to visual display unit the Linksys enhance page for firmware updates addressing this vulnerability.
Given the flaw’s severity, it’s far major to note security patches as soon as they change into on hand to pause capacity exploits.
Source credit : cybersecuritynews.com