Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers, all running specific firmware versions. The vulnerability arises in the 'langSwitchByBBS' function of the '/goform/langSwitchByBBS' file, where the 'langSelectionOnly' parameter is manipulated, leading to a buffer overflow. This vulnerability can be exploited remotely, causing the router to crash and disrupt services. Additionally, the overflow could potentially be leveraged to execute arbitrary code.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting services and causing a persistent failure to function correctly. However, given the nature of stack-based buffer overflows, there is a potential risk of arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/langSwitchByBBS' endpoint. The 'langSelectionOnly' parameter must be included in the request and filled with a payload that exceeds the buffer limit, such as a string of repeated characters. This overloads the stack, causing a buffer overflow that crashes the router.