Intelbras RX1500 Router Integer Overflow Vulnerability Allowing Arbitrary File Writing and Command Execution

An integer overflow vulnerability has been identified in the Intelbras RX1500 Router, specifically in versions through 2.2.17. The issue arises in the websReadEvent function, which improperly handles the 'command' field of the HTTP header. This mismanagement allows the array to exceed its boundaries, potentially overwriting other fields and leading to arbitrary file writing. In more severe cases, this vulnerability could be exploited for arbitrary command execution.

Impact

Exploitation of this vulnerability could result in arbitrary file writing and, in severe cases, arbitrary command execution on the router.

Reproduction

To reproduce this vulnerability, send a POST request to the '/cgi-bin/ExportSettings.sh' endpoint. Include a 'command-2' header with a payload that exceeds the typical length, such as a long string of characters. This will trigger the integer overflow by causing the array to cross its boundary and overwrite adjacent fields.