Planet FW-WGS-804HPT Stack Overflow Vulnerability in SNMPv3 Remote Engine ID Add Function

A stack overflow vulnerability has been identified in the Planet FW-WGS-804HPT switch, specifically in version 1.305b241111. The issue arises in the 'web_snmpv3_remote_engineId_add_post' function, where the 'remote_ip' parameter is improperly handled, leading to a memcpy stack overflow. This vulnerability can be exploited by sending a crafted request that overflows the stack space, potentially allowing for control flow hijacking.

Impact

Exploitation of this vulnerability causes a stack overflow, which can be used to overwrite the return address and hijack the control flow of the application. This type of vulnerability often leads to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a cookie with sufficient permissions to access the 'web_snmpv3_remote_engineId_add_post' function. Once the cookie is set, a POST request can be sent to the dispatcher with the 'remote_ip' parameter containing a payload that is 0x300 bytes long, filled with 'a' characters. This payload will overflow the stack and can be used to overwrite the return address, allowing for control flow hijacking.