Linksys E1200 v2 Router Stack-Based Buffer Overflow Vulnerability in HTTPD Binary

A stack-based buffer overflow vulnerability has been identified in the HTTPD binary of Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us.tar.gz. The vulnerability arises in the 'get_merge_ipaddr' function, which concatenates up to four user-supplied CGI parameters into a fixed-size buffer without proper bounds checking. This flaw can be exploited by remote attackers through specially crafted HTTP requests, potentially leading to arbitrary code execution or a denial-of-service condition, all without requiring authentication.

Impact

Exploitation of this vulnerability allows for arbitrary code execution or the creation of a denial-of-service condition on the affected router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/get_merge_ipaddr' endpoint. The request must include four CGI parameters ('param_0' to 'param_3') with values crafted to overflow the buffer in the 'get_merge_ipaddr' function.