A severe security vulnerability has been identified in the Linksys EA7500 routers, specifically affecting the model’s firmware across all versions, including the latest Ver.3.0.1.207964.
This flaw, if exploited, allows attackers with network adjacency to execute arbitrary code on the device without requiring authentication, posing a significant risk to users’ network security.
CVE-2023-46012: Remote Code Execution Vulnerability
The vulnerability resides in the handling of HTTP request data by the Internet Gateway Device (IGD) Universal Plug and Play (UPnP) service of the routers, as reported by Linksys.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The flaw is triggered during the processing of a SOAP UPnP Action Request, where the router fails to adequately validate the length of user-supplied data before copying it to a fixed-length stack buffer.
Vulnerable Function: SetDefaultConnectionService
The critical function at the heart of this vulnerability is, identified internally as _set_connection_type.
This function initializes an 184-byte buffer and attempts to handle a user-supplied string variable. It does this by calling PAL_xml_node_GetFirstbyName and then PAL_xml_node_get_value.
See the code below:
int _set_connection_type(int **param_1)
{
int iVar1;
char *var_value;
size_t var_value_length;
undefined uVar2;
undefined1 *puVar3;
char **ppcVar4;
undefined4 *puVar5;
char *pcVar6;
int *piVar7;
char acStack_d4 [184]; -----> /* Initializing 184-byte buffer */
memset(acStack_d4,0,0xb4);
iVar1 = PAL_xml_node_GetFirstbyName((*param_1)[0xf0],"NewConnectionType",0); -----> /* iVar1 now points to the user-supplied value */
if ((iVar1 != 0) && (var_value = (char *)PAL_xml_node_get_value(), var_value != (char *)0x0)) { -----> /* Ensures the user-supplied value is not empty and obtains a pointer to it */
...
However, an overly long string can lead to a buffer overflow due to improper validation.
This condition is exacerbated by the use of the strncpy
function, which does not ensure null termination or check the size of the destination buffer, allowing an attacker to overwrite critical memory areas and potentially hijack the program’s control flow.
See the code below:
int _set_connection_type(int **param_1)
{
...
var_value_length = strlen((char *)(iVar1 + 0x174)); ----> /* iVar1 is a pointer to the user supplied string */
strncpy(acStack_d4,(char *)(iVar1 + 0x174),var_value_length + 1); ----> /* Vulnerable strncpy call */
...
An attacker can trigger the buffer overflow by crafting a malicious HTTP request with an oversized string variable.
The specific vulnerability allows the overwriting of a function return address on the stack, enabling redirection of execution to arbitrary addresses controlled by the attacker.
This could lead to unauthorized code execution with root privileges, compromising the entire device.
The Linksys EA7500 router users are urged to monitor the Linksys support page for firmware updates addressing this vulnerability.
Given the flaw’s severity, it is critical to apply security patches as soon as they become available to prevent potential exploits.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free