H3C Magic B3 Buffer Overflow Vulnerability in UpdateWanParams Function

A buffer overflow vulnerability has been identified in the H3C Magic B3 router, affecting firmware versions through 100R002. The issue arises in the UpdateWanParams function within the /goform/aspForm file, where improper validation of the 'param' argument allows for remote exploitation. This vulnerability can lead to a denial-of-service condition and, under certain circumstances, may be exploited for remote code execution.

Impact

Exploitation of this vulnerability causes the device's web management service to crash, leading to a denial-of-service condition on the router. This can result in the management page becoming inaccessible or causing an abnormal device reboot. Additionally, under specific conditions, this vulnerability could be exploited to execute code remotely.

Reproduction

To reproduce this vulnerability, send a POST request to the /goform/aspForm endpoint. Include a 'CMD' parameter set to 'UpdateWanParams' and a 'param' parameter with a payload exceeding 512 bytes. This oversized input will trigger the buffer overflow by overwriting memory beyond the bounds of a 64-byte destination array, disrupting normal device operation.

Remediation

Users are advised to upgrade to a secure firmware version as soon as possible. The vendor should release a patched version that addresses the vulnerability by implementing proper input validation and memory management. Additionally, enabling security features like stack protection and FORTIFY_SOURCE during compilation can help mitigate similar vulnerabilities.