Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 Stack-Based Buffer Overflow Vulnerability in VLAN Management

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers, all running specific firmware versions. The vulnerability arises in the 'setVlan' function within the '/goform/setVlan' file, where the 'vlan_set' argument is manipulated, leading to a stack overflow. This issue can be exploited remotely, causing the router to crash and disrupt service. The vulnerability has been publicly disclosed, and an exploit is available.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting normal service and causing a persistent denial of functionality.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/setVlan' with an excessively long 'vlan_set' parameter. This overloads the stack, overwriting the return address and causing a buffer overflow, which can be leveraged to execute arbitrary code.