# H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm
###### tags: `H3C` `Magic R300-2100M`
author:Yifeng Li，Wolin Zhuang;
## Vulnerability Description
H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.
## Vulnerability Details
In the Edit_BasicSSID function, local variable v32 is 64 bytes long.
V31 can be controlled by attacker, entered as parameter 'param'.
In line 51, v31 is formatted into v32 by function sscanf as long as
the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow.
## Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
1. Upgrade router Magic_R300-2100M to newest firmware(we have a physical machine)
2. Login to 192.168.124.1 as admin
3. Attack with the following POC
POST /goform/aspForm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG=
By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress.
And you can write your own exp to get the root shell.