Linksys Routers Stack-Based Buffer Overflow Vulnerability in IGD Layer3Forwarding Service

A critical stack-based buffer overflow vulnerability has been identified in several Linksys router models, including the WRT1900ACS, EA7200, EA7450, and EA7500, all versions prior to 20250619. The vulnerability arises in the Internet Gateway Device (IGD) component, specifically within the Layer3Forwarding service's SetDefaultConnectionService function. The issue is triggered by the NewDefaultConnectionService parameter, which, when manipulated, causes a stack overflow by overwriting the buffer with excessive data. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted SOAP request to the Layer3Forwarding control point of the router's UPnP service. The request must include a NewDefaultConnectionService parameter that is manipulated to overflow the stack. This can be done using a script that automates the process, such as one written in Python that uses sockets to send the crafted payload.