Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability in Port Range Forwarding Function

A stack-based buffer overflow vulnerability has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 routers running specific firmware versions. The vulnerability resides in the 'portRangeForwardAdd' function of the '/goform/portRangeForwardAdd' file. It allows remote attackers to manipulate several unvalidated input parameters, including 'ruleName', 'schedule', 'inboundFilter', 'TCPPorts', and 'UDPPorts', leading to a stack overflow condition. This overflow can be exploited to execute arbitrary code, causing the router to crash and disrupt its normal services.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution. However, in the context of the proof-of-concept demonstration, the exploitation causes the router to crash, disrupting its services permanently.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/portRangeForwardAdd' endpoint. Include a 'ruleName' parameter with a payload that exceeds the buffer's capacity. The router will crash, indicating successful exploitation.