Vulnerability Title: Stack-Based Buffer Overflow via pptpDfGateway in IQ Setup setWAN Handler of Edimax BR-6428nC v1.16
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: Edimax BR-6428nC v1.16
Component: boa web server IQ setup handler setWAN
A stack-based buffer overflow vulnerability exists in the IQ setup setWAN handler of Edimax BR-6428nC v1.16. In the PPTP configuration path, the attacker-controlled pptpDfGateway parameter is copied into a fixed-size stack buffer with strcpy() and without any length validation.
An attacker can send an oversized request value to crash the web process and may be able to achieve arbitrary code execution depending on memory layout and platform protections.
The vulnerable function allocates local fixed-size buffers:
void setWAN(webs_t wp, char_t * path, char_t * query)
{
char tmpstr[128], tmpstr1[128], tmpstr2[128];
...
}
When wanMode=3 and pptpIpMode=1, the code copies the request parameter directly:
strcpy(tmpstr, websGetVar(wp, T("pptpDfGateway"), T("")));
if (!tmpstr[0]) strcpy(tmpstr, "0.0.0.0");
inet_aton(tmpstr, &inIp);
apmib_set(MIB_PPTPDFGATEWAY, (void *)&inIp);
Because strcpy() performs no bounds checking, any pptpDfGateway value longer than 127 bytes will overflow tmpstr on the stack before any validation or conversion takes place.
The handler is reachable through:
websFormDefine(T("setWAN"), setWAN);
The IQ setup authentication logic further indicates that the route may be exposed before ordinary login enforcement while the device is still in default setup mode.