NEXTU FLETA AX1500 WiFi6 Buffer Overflow Vulnerability Allowing Denial-of-Service and Potential Arbitrary Code Execution

A buffer overflow vulnerability has been identified in the NEXTU FLETA AX1500 WiFi6 router, specifically in version 1.0.3. The issue arises in the router's web management interface, where the Boa web server improperly handles the length of QoS rule names. This flaw allows attackers to exploit the vulnerability by sending a crafted POST request, leading to a stack buffer overflow. As a result, the vulnerability can cause a denial-of-service condition or potentially allow for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition on the affected router. Additionally, it can lead to arbitrary code execution, although the proof-of-concept indicates that while the vulnerability will cause a denial-of-service, the arbitrary code execution may not occur.

Reproduction

To reproduce this vulnerability, the router must be reset to its factory default state or the user must be logged in. Once this is done, ten QoS rules must be pre-saved. Afterward, the IP QoS page must be accessed via the web dashboard. With these conditions met, a POST request can be sent to the '/boafrm/formIpQoS' endpoint. The request must include the 'entry_name' parameter, which can be crafted to include arbitrary code and an address that will be executed on the router.