Linksys RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 routers, all running specific firmware versions. The vulnerability resides in the 'AP_get_wireless_clientlist_setClientsName' function within the 'mod_form.so' file. This issue allows remote attackers to manipulate the 'clientsname_0' argument, leading to a buffer overflow by overwriting the return address of the function. The exploitation of this vulnerability causes the router to crash, disrupting its normal service.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for potential arbitrary code execution. However, in this case, the exploitation causes the router to crash and fail to provide services correctly and persistently.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/AP_get_wireless_clientlist_setClientsName' endpoint. The request must include a 'clientsname_0' parameter with a payload that is sufficiently long to cause a stack overflow. This can be done using a web browser or a tool like curl, ensuring that the 'Content-Type' is set to 'application/x-www-form-urlencoded' and that the 'Content-Length' reflects the size of the payload.