Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability in DHCPReserveAddGroup Function

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers running specific firmware versions. The vulnerability arises in the DHCPReserveAddGroup function, where the parameters enable_group, name_group, ip_group, and mac_group are not properly validated. This lack of input sanitization allows remote attackers to manipulate these arguments, leading to a buffer overflow that could be exploited to execute arbitrary code. The vulnerability was publicly disclosed and has an available exploit.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal functioning and service availability.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/DHCPReserveAddGroup endpoint. Include excessively long data in the mac_group parameter, which will overflow the buffer and crash the router.