Linksys RE6250, RE6300, RE6350, RE6500, RE7000, RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers running specific firmware versions. The vulnerability arises in the 'WPSSTAPINEnr' function of the '/goform/WPSSTAPINEnr' file, where the 'ssid' parameter is not properly validated. This oversight allows remote attackers to manipulate the 'ssid' argument, leading to a buffer overflow that could be exploited to execute arbitrary code. The issue has been publicly disclosed, and an exploit is available.

Impact

Exploitation of this vulnerability causes the router's web server to crash, disrupting normal service. However, the vulnerability can be exploited to gain unauthorized access to the device, potentially allowing for further malicious actions.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/WPSSTAPINEnr' endpoint. The request must include a 'ssid' parameter with a payload that exceeds the buffer size, causing a stack overflow. This can be done manually or automated with a script that handles the session management and payload crafting.