Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers, all running specific firmware versions. The vulnerability arises in the 'qosClassifier' function, where several parameters are directly accepted from the user without proper validation. This lack of input sanitization allows remote attackers to send overly long data, causing a buffer overflow that could potentially be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing the router to crash and disrupt normal service. However, such stack-based overflows can often be exploited to execute arbitrary code, indicating a severe security risk.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/qosClassifier' endpoint. Include excessively long data in the 'dir' parameter, which will cause the router to crash. This demonstrates the stack overflow condition by overwriting the return address of the function, a common technique in exploiting buffer overflow vulnerabilities.