Sagemcom F@st 3686 Buffer Overflow Vulnerability in IPP Service Allowing Remote Code Execution

A buffer overflow vulnerability has been identified in the Internet Printing Protocol (IPP) service of the Sagemcom F@st 3686 router, specifically in the MAGYAR_4.121.0 version. This vulnerability allows remote attackers to execute arbitrary code by sending crafted HTTP requests. The issue arises because the IPP service, enabled by default, improperly handles the 'Expect' HTTP header, allowing data to be written outside the bounds of a fixed-size array. The vulnerability is exacerbated by the absence of modern security features in the 'ippprint' binary, such as Position Independent Executable (PIE) support, Non-Executable (NX) stack protection, and stack canaries, which could have mitigated the impact of the buffer overflow.

Impact

Exploitation of this vulnerability leads to a buffer overflow, allowing for arbitrary code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the IPP service with an 'Expect' header that exceeds 16 bytes. The excess data will overflow the buffer and can be used to overwrite the return address of the function, directing execution to an attacker-controlled location. The current proof-of-concept exploit has a success rate of approximately 10%, but this could be improved by combining it with another vulnerability.