Linksys E7350 Router Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the mtk_dut binary of Linksys E7350 routers running Firmware 1.1.00.032. The vulnerability arises in the sub_4045A8 function, which reads up to 256 bytes from the /sys/class/net/%s/address file into a local buffer. It then copies this data into a caller-provided buffer without proper boundary checks. Since the destination buffer is often allocated with much smaller sizes (20-32 bytes), local attackers who can control the contents of the address file can exploit this flaw, leading to memory corruption, denial of service, or potentially arbitrary code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can lead to memory corruption, denial of service, or arbitrary code execution.

Reproduction

To reproduce this vulnerability, overwrite the /sys/class/net/eth0/address file with a payload larger than the allocated buffer size of the destination buffer in the sub_4045A8 function. The mtk_dut binary will then read the oversized payload, causing a buffer overflow.