Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers running specific firmware versions. The vulnerability arises in the 'RP_checkCredentialsByBBS' function within the '/goform/RP_checkCredentialsByBBS' file. The issue is triggered by the 'ssidhex' and 'pwd' parameters, which, when manipulated, cause a stack overflow by overwriting the return address of the function. This vulnerability can be exploited remotely, leading to a crash of the router, with potential for arbitrary code execution.

Impact

Exploitation of this vulnerability causes the router to crash, disrupting its normal service and potentially allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/RP_checkCredentialsByBBS' endpoint. The request must include a 'session_id' cookie and a 'ssidhex' parameter filled with a long string to trigger the buffer overflow. The router will crash, indicating successful exploitation.