Linksys RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000, and RE9000 routers, all running specific firmware versions. The vulnerability arises in the 'RE2000v2Repeater_get_wired_clientlist_setClientsName' function within the 'mod_form.so' file. The issue allows remote attackers to manipulate the 'clientsname_0' argument, leading to a buffer overflow by overwriting the return address and potentially executing arbitrary code. This vulnerability causes the router to crash, disrupting services persistently.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for the overwriting of the return address in the function's stack frame. This type of overflow can be exploited to execute arbitrary code with the privileges of the process running the vulnerable application. In this case, the exploitation causes the router to crash and fail to provide services correctly and persistently.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/RE2000v2Repeater_get_wired_clientlist_setClientsName' endpoint. The request must include a 'clientsname_0' parameter with a value that is excessively long. This overloads the buffer, causing a stack overflow that crashes the router.