WINSTAR WN572HP3 Buffer Overflow Vulnerability in upload.cgi Component Allowing Denial-of-Service

A buffer overflow vulnerability has been identified in the WINSTAR WN572HP3 device, specifically in the Lighttpd web service component within the upload.cgi file. This vulnerability arises from the insecure use of the strcpy function, which allows untrusted data from the HTTP_COOKIE environment variable to be copied into a fixed-size stack buffer without proper bounds checking. As a result, an attacker can craft an HTTP request with an excessively long Cookie value, leading to a stack overflow that overwrites critical memory structures. This exploitation causes a denial-of-service condition on the device.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the device to become unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with a Cookie header that contains a very long value. This can be done using tools like curl or Postman, or by writing a simple script that sends the crafted request. The upload.cgi script will process the request, and the buffer overflow will occur due to the lack of proper input validation.