Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220

2023-06-17 / 2023-06-18
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Buffer Overflow in TP-Link Archer AX10(EU)_V1.2_230220 # Exploit Author: Giuseppe Compare # Date : 26/05/2023 # CVE: CVE-2023-34832 # Vendor Homepage: https://www.tp-link.com/ # Version: TP-Link Archer AX10(EU)_V1.2_230220 Buffer Overflow There is a buffer overflow in the FUN_131e8 function due to using sprintf improperly, detailed in line 47-49 memset(&DAT_000283a4,0,0x800); sprintf(&DAT_000283a4,"echo \'[ %s ] %d: get OCN v6plus rules begin\n \' > /dev/console", "https_get_rules_OCN",0x3c3); system(&DAT_000283a4); //line 47-49 sprintf((char *)&local_428, "https://rule.map.ocn.ad.jp/?ipv6Prefix=%s&ipv6PrefixLength=%d&code=e8mMWklYwaGoHmT05ynqVM4kPqF9rAUnhrWCp1vWvBeSOO0pfpMokg==" ,param_2 + 0x23,param_2[0x2d]); The sprintf() function makes no guarantees regarding the length of the generated string, a sufficiently long string passed as an additional argument could generate a buffer overflow. Remediation Guarantee that storage for strings has sufficient space for character data and the null terminator. Avoid using unsafe functions such as sprintf(), consider using snprintf() or sprintf_s() and variants. Double check that your buffer is as large as you specify. Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space. Login or Register to add favorites

References:

https://packetstormsecurity.com/files/172989/TP-Link-Archer-AX10-EU-_V1.2_230220-Buffer-Overflow.html
https://jhackers.it
https://gist.github.com/jhacker91/2026e080a42514255e758d64b465d1d5


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top