Linksys RE7000 Router Stack-Based Buffer Overflow Vulnerability in makeRequest.cgi
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the Linksys RE7000 router, specifically in the firmware version FW_v2.0.15_211230_1012. The vulnerability arises in the makeRequest.cgi binary, within the arplookup function, which processes lines from /proc/net/arp using sscanf with format specifiers that allow for oversized input. This oversight enables local attackers to manipulate the ARP data and exploit the buffer overflow, leading to stack corruption. The issue could cause a denial-of-service or potentially allow for arbitrary code execution.
Impact
Exploitation of this vulnerability can result in stack corruption, causing a denial-of-service or potentially allowing for arbitrary code execution.
Reproduction
To reproduce this vulnerability, local access to the router is required. The /proc/net/arp file can be manipulated to include an entry with an IP address that exceeds the buffer size of the arplookup function. Once the ARP file is modified, the makeRequest.cgi binary can be executed, triggering the buffer overflow by parsing the oversized input.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.