Linksys E1200 v2 Router Stack-Based Buffer Overflow Vulnerability in HTTPD Binary

A stack-based buffer overflow vulnerability has been identified in the HTTPD binary of Linksys E1200 v2 routers running firmware version E1200_v2.0.11.001_us.tar.gz. The vulnerability arises in the 'get_merge_mac' function, which improperly concatenates up to six user-supplied CGI parameters into a fixed-size buffer without adequate bounds checking. This flaw allows remote attackers to exploit the vulnerability by sending specially crafted HTTP requests, potentially leading to arbitrary code execution or a denial-of-service condition, all without requiring authentication.

Impact

Exploitation of this vulnerability can result in a stack-based buffer overflow, allowing for arbitrary code execution or causing a denial-of-service condition on the affected router.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/cgi-bin/get_merge_mac' endpoint. The request must include CGI parameters named 'param_0' through 'param_5', each containing a payload that exceeds the buffer's capacity. The 'Content-Type' should be set to 'application/x-www-form-urlencoded', and the 'Content-Length' must reflect the size of the payload.