Netgear WNR854T Stack-Based Buffer Overflow Vulnerability in UPnP Service Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Netgear WNR854T router, specifically in version 1.5.2 for North America. The issue arises in the UPnP service's 'parse_st_header' function, where the ST header of M-SEARCH requests is copied into a fixed-size stack buffer without proper bounds checking. This vulnerability allows attackers to overwrite adjacent memory, hijack control flow, and execute arbitrary system commands. Exploitation can be performed remotely over the internet, taking advantage of the UPnP service's exposure on the WAN interface.

Impact

Successful exploitation of this vulnerability allows for remote code execution on the affected device, leading to full system compromise.

Reproduction

To reproduce this vulnerability, send a crafted M-SEARCH request to the UPnP service on the router's WAN interface. The request must include an oversized ST header value, which will overflow the stack buffer in the 'parse_st' function. Once the buffer overflow occurs, control can be redirected to execute arbitrary commands on the device.