MBS Universal BACnet Router Stack-Based Buffer Overflow Vulnerability in UBR Web GUI

A stack-based buffer overflow vulnerability has been identified in the MBS Universal BACnet Router's UBR web GUI. This vulnerability allows low-privileged remote attackers to send crafted HTTP POST requests using the 'ubr-network' method, leading to full device compromise. The issue arises because the server-side code improperly handles user-controlled data, allowing attackers to overwrite the return address on the stack and execute arbitrary code. The vulnerability affects both the 32 MB and 64 MB RAM versions of the UBR router.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with elevated privileges, potentially compromising the entire system.

Reproduction

To reproduce this vulnerability, a valid session token for a user or admin account is required. Once authenticated, send a POST request to the 'ubr-network' method with a JSON array in the 'routingItems' parameter. The array can be crafted to include strings that exceed 63 bytes, which will then be concatenated into a fixed-size stack buffer, causing a buffer overflow. This overwrites the return address on the stack, hijacking the execution flow and allowing for the execution of arbitrary code.

Remediation

Users are advised to update to the latest UBR firmware version 6.0.1.0, which addresses this vulnerability.