Linksys E1200 V2 Router Stack-Based Buffer Overflow Vulnerability in HTTPD Binary

A stack-based buffer overflow vulnerability has been identified in the HTTPD binary of Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us.tar.gz. The vulnerability arises in the apply_cgi and block_cgi functions, which improperly handle user-supplied input from the 'url' CGI parameter. These functions use sprintf to copy data into stack buffers without proper bounds checking. As a result, any non-empty input can overflow the buffer, potentially allowing remote attackers to execute arbitrary code or cause a denial-of-service condition, all without requiring authentication.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can be used to execute arbitrary code or cause a denial-of-service condition on the affected router.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP POST request to the router's CGI interface, specifically targeting the 'tmBlock.cgi' or 'hndBlock.cgi' scripts. The 'url' parameter must be included in the request with a value that exceeds the buffer's capacity, triggering the overflow.