9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Malicious operation of the crafted web browser cookie may cause a stack-based buffer overflow in the system web server on the EDR-G902 and EDR-G903 Series Routers (versions prior to 5.4).
Recent assessments:
wvu-r7 at July 31, 2020 3:51pm UTC reported:
The web server is a 32-bit, big-endian MIPS binary at /magicP/WebServer/webs
.
The patch against the websSecurityHandler()
function in webs
is simplistic. If the cookie length is greater than the buffer size of 512 bytes, the function fails out:
char cookie[512];
/* snip */
if (wp->cookie != NULL) {
cookie_len = strlen(wp->cookie);
+ if (512 < cookie_len) goto Fail;
memset(cookie, 0, 512);
strncpy(cookie, wp->cookie, cookie_len);
cookie[cookie_len] = '\0';
}
The exploit mitigations on the binary are lacking:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH 1226) Symbols No 0 17 webs.unpatched
No additional mitigations were enabled in the patched version. Funny enough, the binary still has debug symbols.
Exploitability seems high on this one, given the complete lack of mitigations. That said, you would not be able to copy null bytes with strncpy(3)
.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P