Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2023-1764
HistoryOct 11, 2023 - 12:00 a.m.

Yifan YF325 httpd gwcfg.cgi get stack-based buffer overflow vulnerability

2023-10-1100:00:00
Talos Intelligence
www.talosintelligence.com
6
yifan yf325
httpd
gwcfg.cgi
stack-based buffer overflow
vulnerability
cve-2023-34346
cwe-489
buffer overflow
cisco talos

0.001 Low

EPSS

Percentile

48.3%

JSON

Talos Vulnerability Report

TALOS-2023-1764

Yifan YF325 httpd gwcfg.cgi get stack-based buffer overflow vulnerability

October 11, 2023
CVE Number

CVE-2023-34346

SUMMARY

A stack-based buffer overflow vulnerability exists in the httpd gwcfg.cgi get functionality of Yifan YF325 v1.0_20221108. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0_20221108

PRODUCT URLS

YF325 - <https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html&gt;

CVSSv3 SCORE

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-489 - Leftover Debug Code

DETAILS

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the gwcfg.cgi/get* endpoints uses a specific function to parse the incoming data; this API is probably a left over debug code. This API uses the httpd’s gwcfg_cgi_get_manage_post_data function to parse the incoming data:

void gwcfg_cgi_get_manage_post_data(undefined4 URL_path,undefined4 client_FD,undefined4 content_length)

{
  [...]

  memset(post_data,0,0x400);
  APP_TRACE("do_get_cfg_post url:%s,len:%d\n",URL_path,content_length);
  abc_var = websGetVar(client_FD,"abc","0");
  if (abc_var != 0) {
    APP_TRACE("abc:%s\n",abc_var);
  }
  read_n = wfread(post_data,1,content_length,client_FD);                                                        [1]
  APP_TRACE("wfread ret:%d\n",read_n);
  APP_TRACE("do_get_cfg_post buf:%s\n",post_data);
  return;
}

The function reads, at [1], the data of the request using the provided Content-Length. Because the content length is not checked against the length of the post_data static buffer, there is a stack-base buffer overflow at [1]. This function is reachable prior to authentication.

TIMELINE

2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release
2023-10-24 - Vendor Patch Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2023-1762

Previous Report

TALOS-2023-1787

Related

cve 1
cvelist 1
prion 1
talosblog 1
cve
cve
CVE-2023-34346
2023-10-11 16:15:13
cvelist
cvelist
CVE-2023-34346
2023-10-11 15:14:30
prion
prion
Stack overflow
2023-10-11 16:15:00
talosblog
talosblog
10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows
2023-10-11 16:00:15

0.001 Low

EPSS

Percentile

48.3%

JSON
Related for TALOS-2023-1764
cve1cvelist1prion1talosblog1