VIVOTEK FD8136 Stack-Based Buffer Overflow Vulnerability in export_language.cgi Allowing Authenticated Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the export_language.cgi binary of the VIVOTEK FD8136 firmware version FD8136-VVTK-0300a. This vulnerability allows authenticated remote attackers to execute arbitrary code as root. The issue arises because the handler passes an attacker-controlled Content-Length value directly to fread() as the read size, into a fixed-size stack buffer of 0x60 bytes. This oversight enables the overwriting of the saved link register. The vulnerability can be exploited by sending a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. Notably, the binary is compiled without stack canaries, leaving it susceptible to such attacks.

Impact

Exploitation of this vulnerability leads to authenticated remote code execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the /cgi-bin/admin/export_language.cgi endpoint with a Content-Length header that specifies a length greater than 0x60 bytes. The excess data will overflow the stack buffer and overwrite the saved link register, allowing for control of the execution flow.