Planet ICG-2510 Stack-Based Buffer Overflow Vulnerability in Language Package Configuration Handler

A stack-based buffer overflow vulnerability has been identified in the Planet ICG-2510 product, specifically in the 1.0_20250811 firmware version. The issue arises in the 'sub_40C8E4' function of the '/usr/sbin/httpd' component, which handles language package configurations. The vulnerability can be exploited remotely by manipulating the 'language' configuration value in NVRAM. The function retrieves this value and uses 'sprintf' to format it into a heap-allocated buffer of only 60 bytes. If an attacker sets the 'language' value to a string longer than 48 characters, it will overflow the buffer, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the web management interface. However, it also creates a possibility for arbitrary code execution, allowing remote control of the device, due to the nature of the stack-based buffer overflow.

Reproduction

To reproduce this vulnerability, set a long string value (over 48 characters) for the 'language' configuration item in NVRAM. This can be done using the 'nvram set' command. Once the malicious value is set, access any page on the web management interface, which will trigger the 'sub_40C8E4' function and cause the buffer overflow.