Planet WGS-804HPT Stack Overflow Vulnerability in TAC+ Web Server Edit Function

A stack overflow vulnerability has been identified in the Planet WGS-804HPT switch, specifically in version 1.305b241111. The issue arises in the 'web_tacplus_serverEdit_post' function, where the 'tacIp' parameter is improperly handled, leading to a buffer overflow via a 'memcpy' operation. This vulnerability can be exploited by creating a cookie that grants access to the vulnerable function and sending a crafted request that overflows the stack.

Impact

Exploitation of this vulnerability allows for a stack-based buffer overflow, which can lead to arbitrary code execution by overwriting the return address and hijacking the control flow of the program.

Reproduction

The vulnerability can be reproduced by first creating a cookie with the necessary permissions to access the 'web_tacplus_serverEdit_post' function. Once the cookie is set, a POST request can be sent to the 'dispatcher.cgi' endpoint with the 'tacIp' parameter containing a payload that is 600 bytes larger than the buffer can handle. This payload will overflow the stack and can be used to execute arbitrary code.