Linksys E1200 v2 Stack-Based Buffer Overflow Vulnerability in HTTPD CGI Parameter Handling

A stack-based buffer overflow vulnerability has been identified in the validate_static_route function of the HTTPD binary on Linksys E1200 v2 routers running firmware E1200_v2.0.11.001_us.tar.gz. The vulnerability arises from the function's improper handling of user-supplied CGI parameters related to routing (route_ipaddr_0~3, route_netmask_0~3, route_gateway_0~3). These parameters are concatenated into fixed-size buffers (v6, v10, v14) without adequate bounds checking. This flaw allows remote attackers to exploit the vulnerability by sending specially crafted HTTP requests, potentially leading to arbitrary code execution or a denial-of-service condition, all without requiring authentication.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can be leveraged to execute arbitrary code or create a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /cgi-bin/validate_static_route endpoint. The request must include the route_ipaddr, route_netmask, and route_gateway parameters, each containing data that exceeds the buffer size limitations. This can be done by crafting the CGI parameters to include excessive payloads, which will then be concatenated into the vulnerable buffers without proper validation, causing a buffer overflow.