Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 Stack-Based Buffer Overflow Vulnerability in IPv6 Configuration

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers running specific firmware versions. The vulnerability arises in the 'setIpv6' function of the '/goform/setIpv6' file, where the 'tunrd_Prefix' argument can be manipulated, leading to remote exploitation. This vulnerability allows attackers to execute arbitrary code by overwriting the return address of the function, causing the router to crash and disrupt service.

Impact

Exploitation of this vulnerability causes the router to crash, leading to a persistent denial of service where the device fails to provide normal services.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/goform/setIpv6' endpoint. The request must include a 'tunrd_Prefix' parameter with a payload that is sufficiently long to cause a heap overflow. This can be done using a web browser or a tool like curl, by specifying the appropriate headers and cookie information to mimic a legitimate user session.