# ip-com-5 vendor:IP-COM product:M50 version:V15.11.0.33(10768) type:Buffer Overflow author:Yifeng Li, Wolin Zhuang; ## Vulnerability description We found an buffer overflow vulnerability in IP-COM Technology IP-COM’s M50 routers with firmware which was released recently, allows control “pLanPortRange” or "pWanPortRange" to attack it. ## Buffer Overflow vulnerability In formSetPortMapping function, the parameter “pLanPortRange” and "pWanPortRange" is directly strncpy to a local variable placed on the stack, which overrides the return address of the function, causing buffer overflow, and so on, we also can control the “pLanPortRange” or "pWanPortRange" to attack it.   ## PoC ### Buffer Overflow We set the value of “pLanPortRange” or "pWanPortRange" as aaaaaaaaaaaaaaaaaaaaaaaaa…… and the router will cause buffer overflow.