Netgear WNR854T Stack-Based Buffer Overflow Vulnerability in UPnP Service Allowing Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in the Netgear WNR854T router, specifically in version 1.5.2 for North America. The vulnerability resides in the UPnP service's SetDefaultConnectionService function, where an unconstrained use of sscanf creates an opportunity for stack memory corruption. This flaw allows attackers to gain control of the program counter, potentially leading to arbitrary code execution on the device.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted M-SEARCH request to the UPnP service. The ST header of the request must be manipulated to include an oversized value that exceeds the buffer size, exploiting the lack of proper bounds checking. This can be done from a network-adjacent position or over the internet, taking advantage of the UPnP service's exposure on the WAN interface.