WDR201A WiFi Extender Stack-Based Buffer Overflow Vulnerability in Firewall.cgi and MakeRequest.cgi
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the WDR201A WiFi Extender, specifically in the firewall.cgi and makeRequest.cgi binaries. This vulnerability allows unauthenticated attackers to overwrite the saved return address by sending a POST request with a Content-Length header that exceeds 512 bytes. The flaw arises from inadequate length validation in the fgets() function, enabling attackers to execute arbitrary code using return-oriented programming or return-to-libc techniques.
Impact
Exploitation of this vulnerability allows for a stack-based buffer overflow, where the saved return address is overwritten, potentially leading to arbitrary code execution.
Reproduction
The vulnerability can be reproduced by sending a POST request to the device's firewall.cgi or makeRequest.cgi with a Content-Length header greater than 512 bytes. The request body should include a payload that exploits the buffer overflow by overwriting the return address with a controlled value, such as the address of a gadget in libc that can be used to execute a command via a return-to-libc attack.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.