CVE-2022-27255

In Realtek eCos RSDK 1.5.7p1 and MSDK 4.9.4p1, the SIP ALG function that rewrites SDP data has a stack-based buffer overflow. This allows an attacker to remotely execute code without authentication via a crafted SIP packet that contains malicious SDP data.

Recent assessments:

jbaines-r7 at September 09, 2022 3:52pm UTC reported:

CVE-2022-27255 was presented at DEF CON 30 in August 2022. The researchers have shared their slides, exploits, and research scripts on GitHub, for which we thank them profusely. CVE-2022-27255 is a memory corruption vulnerability when eCos parses SIP packets containing crafted SDP (during NAT translation). Because eCos is used by a variety of SOHO routers, the vulnerability is present in a wide range of devices shipped by a number of different organizations. At the time of writing, the set of vulnerable systems was believed to be:

Nexxt Nebula 300 Plus
Tenda F6 V5.0
Tenda F3 V3
Tenda F9 V2.0
Tenda AC5 V3.0
Tenda AC6 V5.0
Tenda AC7 V4.0
Tenda A9 V3
Tenda AC8 V2.0
Tenda AC10 V3
Tenda AC11 V2.0
Tenda FH456 V4.0
Zyxel NBG6615 V1.00
Intelbras RF 301K V1.1.15
Multilaser AC1200 RE018
iBall 300M-MIMO (iB-WRB303N)
Brostrend AC1200 extender
MT-Link MT-WR850N
MT-Link MT-WR950N
Everest EWR-301
D-Link DIR-822 h/w version B
Speedefy K4
Ultra-Link Wireless N300 Universal Range Extender
Keo KLR 301
QPCOM QP-WR347N
NEXT 504N
Nisuta NS-WIR303N (probably V2)
Rockspace AC2100 Dual Band Wi-Fi Range Extender
KNUP KP-R04
Hikvision DS-3WR12-E

Also, at the time of writing, it is believed that none of these devices have been patched for the vulnerability yet.

The researchers have shared a proof of concept video and an exploit for the Nexxt Nebula 300 Plus. The downside of the researchers choosing the Nexxt Nebula 300 Plus is that it appears to be very difficult to acquire, but you can still download the firmware and test out some of their other tooling.

The only thing preventing this vulnerability from receiving widespread attention is that each router is going to need slightly different shell code. If someone were to spend time writing exploits for a majority of these targets, I think this would receive a good deal of attention, and be pretty useful. But until then, I fear that this will remain somewhat obscure to most hackers in the community.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2