Viasat Modems SNORE Interface Stack Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack buffer overflow vulnerability has been identified in Viasat modems, including the RM4100, RM4200, EM4100, RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 models. This vulnerability arises from insecure path parsing in the 'SNORE' web interface, which is accessible over LAN and via the OTA interface. The issue can be exploited by an attacker on the same local network, who sends a specially crafted HTTP request that overflows a buffer in the 'index.cgi' CGI binary. This exploitation allows for arbitrary code execution on the modem.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected modem.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the 'SNORE' interface on TCP port 9882. The request must include a crafted URI that exploits the buffer overflow by overwriting the path buffer with excessive data, specifically 512 bytes of 'A's followed by additional characters. This can be done using a simple HTTP client or a script that automates the request.

Remediation

Users are advised to ensure their devices are online to receive the automated over-the-air update from Viasat. After the update, verify the running version using the administrative interface.