Linksys WRT120N Stack-Based Buffer Overflow Vulnerability in tmUnblock.cgi Endpoint Allows Unauthorized Password Reset

A stack-based buffer overflow vulnerability has been identified in the Linksys WRT120N wireless router, specifically within the tmUnblock.cgi endpoint. This vulnerability arises from the improper handling of the TM_Block_URL parameter in HTTP POST requests, allowing an unauthenticated remote attacker to overwrite memory and temporarily reset the router's administrator password to a blank value. The issue has been confirmed on WRT120N firmware version 1.0.07.

Impact

Exploitation of this vulnerability allows for unauthorized access to the router's web management interface by resetting the administrator password to a blank value.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/cgi-bin/tmUnblock.cgi' endpoint with an overly long TM_Block_URL parameter. The request must include a crafted payload that exploits the buffer overflow by overwriting the memory address where the admin password is stored. After successfully exploiting the vulnerability, log in to the router using the 'admin' username and a blank password.