Mercusys AC12G (EU) V1 UPnP Kernel Memory Disclosure Vulnerability

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The issue arises within the UPnP service, where the GetStatusInfo action improperly discloses kernel memory layout by returning a raw MIPS KSEG0 kernel pointer instead of the expected connection status. This vulnerability allows an unauthenticated attacker on the adjacent network to obtain sensitive kernel address information, which could be used for further exploitation, especially considering the lack of Address Space Layout Randomization (ASLR) in VxWorks, the underlying operating system.

Impact

The vulnerability leaks kernel virtual addresses that are valuable for developing exploits. Since VxWorks does not implement ASLR, the leaked addresses consistently map to the same memory locations, providing a stable memory layout that could be exploited. Additionally, VxWorks lacks stack canaries, Non-Executable (NX) memory protection, and ASLR, meaning that any future discovery of a buffer overflow vulnerability, combined with the leaked addresses, could lead to direct code execution.

Remediation

To address this vulnerability, the router's UPnP GetStatusInfo action should be modified to dereference the kernel pointer before formatting the connection status string. Additionally, the printf format specifier for the uptime field should be corrected to prevent the format character from being leaked.