"The analysis showed that input from external messages is used directly to calculate a buffer length. This value is then passed to a strncpy operation without any boundary checks, while the stack buffer is only 3072 bytes in size. With a payload of 4096 bytes, the exploit managed to crash the service and confirmed that the program counter can be overwritten. This means that complete system compromise with root privileges is achievable."
"The vulnerability affects several popular models, including the Archer AX10 and AX1500. The exploit was tested with a proof-of-concept in which manipulated SOAP messages were sent via a GenieACS server. The vulnerable router crashed, and further analysis showed that exactly 3112 bytes were needed to overwrite the control register. With a specially constructed payload, researchers were able to fully control the program counter, unequivocally confirming the remote code execution scenario."
A stack-based buffer overflow exists in the CWMP (TR-069) implementation of TP-Link routers, triggered by SetParameterValues SOAP messages. Input from external messages is used to compute a buffer length that is passed to strncpy without boundary checks against a 3072-byte stack buffer. A 4096-byte payload crashes the service and allows program counter overwrite, enabling root-level system compromise. A proof-of-concept sent manipulated SOAP messages via a GenieACS server, crashing the router and showing 3112 bytes overwrite to reach the control register; a crafted payload achieved full program counter control. Identical binaries place many models at risk; FOFA located more than 4,200 exposed vulnerable devices. Patches are not yet available.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]