Mercusys AC12G Buffer Leak Vulnerability via Undocumented Endpoint

A buffer leak vulnerability has been identified in the Mercusys AC12G (EU) V1 router, specifically in the firmware version AC12G(EU)_V1_200909. The vulnerability arises from an undocumented endpoint, '/agileconfigreset', which is accessible without authentication. This endpoint leaks internal buffer contents, including parsed HTTP headers from the current request, to unauthenticated attackers on the adjacent network. The leaked data is formatted in a null-separated internal style and is sent as a malformed response that violates HTTP protocol standards.

Impact

Exploitation of this vulnerability leaks internal server state and HTTP header data from other clients' requests to unauthenticated attackers on the adjacent network, potentially aiding in reconnaissance for further attacks.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/agileconfigreset' endpoint. The response will include 128 bytes from the internal HTTP header parse buffer, leaked in a null-separated format, before the HTTP status line. This buffer leak occurs only with POST requests, as GET requests to the same endpoint are met with a 403 Forbidden response.

Remediation

To address this vulnerability, the undocumented '/agileconfigreset' endpoint should be removed from production firmware. If it must remain, authentication should be required, and proper HTTP error codes should be returned. Additionally, response buffers should be initialized before use.