Linksys RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000 Stack-Based Buffer Overflow Vulnerability in Port Forwarding Function

A stack-based buffer overflow vulnerability has been identified in Linksys router models RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000, all running specific firmware versions. The vulnerability arises in the 'singlePortForwardAdd' function, where the 'ruleName', 'schedule', and 'inboundFilter' parameters are not properly validated. This lack of input sanitization allows remote attackers to send excessively long data, causing a buffer overflow that could be exploited to execute arbitrary code. The issue has been publicly disclosed, and an exploit is available.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for arbitrary code execution. The vulnerability causes the router to crash, disrupting its normal service and causing a persistent denial of functionality.

Reproduction

To reproduce this vulnerability, send a POST request to the '/goform/singlePortForwardAdd' endpoint. Include a 'ruleName' parameter with a payload that is sufficiently long to overflow the stack buffer. The router will crash as a result of the overflow, causing a denial of service.