Edimax EW-7438RPn Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the Edimax EW-7438RPn range extender, specifically in version 1.31. The issue arises in the 'formWlanMP' function within the '/goform/formWlanMP' file. The vulnerability can be exploited remotely by manipulating various unvalidated input parameters, including 'ateFunc', 'ateGain', 'ateTxCount', 'ateChan', 'ateRate', 'ateMacID', multiple 'e2pTxPower' values, 'ateTxFreqOffset', 'ateMode', 'ateBW', 'ateAntenna', 'e2pTxFreqOffset', 'e2pTxPwDeltaB', 'e2pTxPwDeltaG', 'e2pTxPwDeltaMix', 'e2pTxPwDeltaN', 'readE2P', and 'submit-url'. The lack of proper input validation allows attackers to overflow the stack, potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes the device to crash, disrupting normal service. However, the nature of the stack-based buffer overflow could also allow for arbitrary code execution, given the right conditions.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/goform/formWlanMP' with overly long data in the 'ateFunc' parameter, along with other specified parameters. This excessive input causes the stack overflow, leading to a crash of the router.