Mercusys AC12G Uninitialized Buffer Disclosure Vulnerability via UPnP POST Requests

A vulnerability exists in the Mercusys AC12G (EU) V1 router, specifically in the UPnP HTTP server on port 1900. When the router receives POST requests without a SOAPAction header, it responds with 128 bytes of uninitialized buffer data. This response includes null-separated parsed header key-value pairs from the request, fragments of HTTP response templates from previous requests, and internal memory contents from the server's buffer management. The vulnerability allows unauthenticated adjacent network attackers to access sensitive internal memory data.

Impact

The vulnerability exposes 128 bytes of internal server state and response buffer contents, creating a cross-request information leak via a shared buffer pool. Any unauthenticated client on the local network can trigger this issue.

Remediation

Users are advised to initialize response buffers to zero before use, return a proper HTTP error response (400 Bad Request) when required headers like 'SOAPAction' are missing, and clear response buffers between requests to prevent cross-request data leakage.