Netgear WNR854T UPnP Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Netgear WNR854T router, specifically in version 1.5.2 for North America. The issue arises in the UPnP service, where the M-SEARCH Host header is processed. The vulnerability is caused by improper bounds checking, allowing an attacker to craft a request that overwrites adjacent memory and hijacks execution flow, ultimately leading to remote code execution. This vulnerability is particularly concerning because it can be exploited over the internet without authentication, taking advantage of the fact that UPnP is exposed on the WAN side.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected device, with the potential for full system compromise.

Reproduction

To reproduce this vulnerability, send a crafted M-SEARCH request via UDP to port 1900. The Host header must be oversized to overflow the stack buffer in the UPnP service. This can be done using a socket programmed to send the maliciously crafted request, with the oversized header value included.